Chasing a 100% score might be hard and maybe pointless, personally I think its worth looking through the security scan results and considering whether your application actually uses any of the components that are vulnerable and even if it does whether the attack vector exists in your application.
E.g. Many of the vulnerable components in our images are components like Libv8, except we only use Libv8 to compress our assets during build time, during runtime we don’t use Libv8 so any attack vectors resting on access to Libv8 are relatively safe to ignore.
The important things to pay attention to are services your publicly exposing, or components used by those services.
E.g. If you were exposing a PHP application on port 80 that took images and processed them using ImageMagick then it would be extra important that we pay attention to the security scanners results for both PHP, ImageMagick and any libraries that ImageMagick depends upon (libpng, etc).
I’m not saying don’t pay attention to the results, it can be hard to know for example that say libpng internally uses another library which itself is vulnerable, but I’m saying its certainly worth looking through the vulnerabilities and assessing them as to whether or not they apply to your application.
Hope this helps!