TL;DR: ReDoS “vulnerabilities” are, overwhelmingly, indistinguishable from malicious noise:

1. They exist primarily because of misaligned incentives in the security reporting and vulnerability reporting ecosystems (and industries);

2. The risk they pose is extremely context sensitive and does not align with their ridiculous “severity” scores;

3. They produce security fatigue in the very engineers they’re meant to help, and effectively represent their own denial of service against timely resolution of actual vulnerabilities.

I agree with this.

While it would be nice to switch everything to non-backtracking regular expressions, most cases of ReDOS don't cause major security issues.

This is also a problem with the industry in general, as various vulnerability scanners are full of useless noise.