Scanning tools are slow, which impacts release agility.
There are too many false positives (and negatives), ensuring a security expert still has to sit there and do a manual review to sort the real bugs from the phantom bugs.
Far too many common vulnerabilities are revealed that should have been picked up before the code was deployed. Do companies really want their very expensive security experts distracted from big, complex security problems with the small stuff?
Scanners find issues, they don’t fix them.
Some tech-lead automation can lead to diminished code quality
It’s hard to strike a balance between tools and people.