The details about the actively malicious ones in there seem a lot more interesting actually. The "X% have some outdated code somewhere, we didn't test if its actually used" reports on the other hand seem to be required yearly publishing for any security company doing anything with containers...