Speaking from personal experience, management don't care what the actual risk is. Red number in Nessus = bad, that's all they know. We can write a treatise on why these detections don't represent actual vulnerabilities, which management will simply not understand and disregard, or we can tell the users their old but still functional software is going away.
On the bright side, we've managed to get several departments to spend money on software maintenance so at least we can run the most recent versions of the detected applications, which usually do have security fixes in them - and if they don't then finally management will accept the risk and let us just mitigate. The flipside is the business is spending a lot more money on updating software that "worked fine" and wasn't actually vulnerable but had an old library or two included.
I've found most security scanning software is worse than AV software for false-positives. As you say, they have absolutely no idea what the context is, it's just "this file exists, therefore you're vulnerable".
Unfortunately, for certain security "qualifications", at least in the UK, you have to run these scans and prove that you're not vulnerable to pass. It's a great gift to the companies that make security scanning software, and it's a nice bonus for the publishers of all the software we're now paying maintenance on, but the security impact is... minimal.