She's mostly focussed on (a), it seems, and I can understand the frustration - all too often we get lengthy missives from client consultants along the lines of "Ran scanning tool. Suggests that the version of PHP.net you are using is vulnerable to LSASS and STUXNET vulnerabilities, our client is terrified, pay me off to make the pain go away." We get a genuine vulnerability reported once in a blue moon.
(b) is good, but her point that them spending their time doing static analysis of oracle's software is a monumental waste of time is perfectly valid, if their root password is password and the firewall is just some sheetrock in the basement.
(b) is good, but her point that them spending their time doing static analysis of oracle's software is a monumental waste of time is perfectly valid, if their root password is password and the firewall is just some sheetrock in the basement.