Since the scanners don't actually run a scan, or compare a current version against known vulnerabilities in a database/API, we should perhaps at least warn (or fail -- with a way to set a failure as resolved) if the last known version of a plugin or theme (or core) has vulnerabilities.