Because a static image scanner flags every known vulnerability in a package regardless of whether that package ever gets loaded, executed, or reached once the container is running. A base image can carry two dozen theoretical security vulnerabilities that create zero real exposure, simply because the vulnerable function never gets called. The fix is runtime context: checking whether the vulnerable package is actually running, has network access, or holds root privileges before treating every CVE as equally urgent.
