OWASP - serious guys, their tools are popular.
But an attack is a complex event. And the tools only indicate potentially "interesting" places that the information security specialist could analyze them and not overlook anything.
You have a warning that a cookie without the "HttpOnly" flag means that it can be stolen via JavaScript, for example. Badly? Yes. Dangerously? Yes. But if the attacker does not have access to modify the content on the site (or there is no XSS vulnerability), then the risks with HttpOnly are reduced to zero. What's the point if you can't pull them out?

It’s worth it, some companies don’t eliminate everything above low immediately when writing the code, they leave it in the backlog until free time if AppSec doesn’t prove the opposite with pens