I hope you will find this so obvious but unfortunately security community is highly relied on vulnerability scanning in a way which makes it totally useless or even harmful!
Vulnerability assessment is evaluating of a System against known and potential security flaws. A System is simply a collection of processes, workflows, people, nodes, software…but traditional vulnerability scanning only focuses on individual nodes and software rather than seeing them as a whole equation.
Today’s common vulnerability scanning which is believed to be so effective and is the center of attention for almost all type of manages security services, is actually harmful in a way that completely ignores the attack vectors coming and result from presence of link and connection and relation between many (all) components of a system, not just computers, webservers and software applications.