@kornel flawfinder matches on function names but not only.

For example if you pass any kind of variable as formatting argument to printf family of functions, it's going to trigger because users able to pass an arbitrary string can end up being a flaw.
Meanwhile a much more useful static analyzer would check if a buffer ends up set to said variable.

Similarly checks against known TOCTOU flaws can be done much better with flow checks than labelling some functions as footguns.

And while I guess something like flawfinder which is eager to label footguns can be useful for audits, it's way too noisy as a regular tool.