Us: "Any container that uses library X will show this CVE"
Bank "You have to get rid of the CVE"
Us: "You cannot get rid of that CVE because your software checks for the existence of the library, not the existence of a potentially weak configuration that could cause a problem. This is like saying we have to get rid of the car because it contains gas, rather than ensuring we have safe gasoline storage practices"
The lack of granularity in CVE's alongside their accepted authority enables clumsy, brute-force compliance procedures and gives them teeth. The two are tied together.
That sounds more like a problem with the compliance team in question having policies that are flawed in one or more ways.
One entity blindly/inflexibly/irrationally/wrongly reacting to some other entity's proclamation isn't the fault of the entity making the proclamation.