So the "don't delete things" is default behaviour - and we do the same with all patches too.
So if you have a 10 year old Core (for argument's sake), you may find that you have a LOT of stuff that's no longer relevant / needed ... under "normal" circumstances.
So - this is where our diverse customer base comes in ... a bunch of people wouldn't relly care about (say) Windows XP since they moved off of that. And yet I'm still dealing (for instance) with a bunch of accounts that still use Windows XP (not that it's something that I'm advocating as a good thing).
So - how do you clean up vulnerabilities / patches & such?
Well - you can disable RULES (/vulnerabilities) that are replaced using the "disable replaced rules" button here... (click on the images for full size).
More info on this can be found here -- How To: Manage Superceded Patches in Patch and Compliance Manager (for instance).
... and you can DELETE patches for items that hadn't been detected in X (configurable) days via HERE...
==================
Keep also in mind that "just because there *IS* a driver update" doesn't mean "that the new driver will work / will keep compatibility with your business critical in-house apps". So *NOT* forcefully replacing drivers is generally speaking a good thing, as the amount of sensitivity (around Provisioning, business-critical apps, etc) should NOT be underestimated.