Alternatively those scanning tools have the same issue all other security scanners have in that they have too many false positives. And when tuning them to have only few false positives, they miss the true positives.

Then the real work is in investigating each false positive. Can still be useful compared to manual review, but requires real resources.

Meanwhile the flood of false positives causes reputation loss if not addressed. Reputation loss that closed source software does not get. Hence perhaps going closed source.