Virtual machine scanning tools & "pre-hardened" CIS images

I recently pulled down a secure-sounding CIS Red Hat Enterprise Linux 7 STIG Benchmark, which is published by CIS itself and "Hardened according to a CIS Benchmark - the consensus-based best practice for secure configuration."

Then, I got a free trial of a scanning tool called InsightVM (owned by Rapid7) and tuned it to the CIS benchmarks. It returned with a 67% fail rate.

Is my tool overreacting, or does CIS suck beyond comprehension at understanding their own CIS benchmarks …

amp cis cybersecurity images machine scanning tools virtual virtual machine