I do marginalize the effectiveness of a static analysis code tool for detecting such issues.
What's a static code analysis tool doing to do here? It may
a ) Either detect a "potential NULL dereference", thus indicating that the 5000000 potential bugs found count is pure crap.
b) Do nothing. I do not know which one is worse!
c) Somehow magically deduce all posible code paths and follow them all to detect where the actual bug is. The list of all available code paths does not only depend on hardware configuration but might actually even depend on the current time.

Not to mention the above is a pretty common idiom, specially if, as according to the makers of this tool themselves, "dereferencing function pointers is quite common on the kernel".

I do not see why a local root exploit would have help here. Specially one where you to exploit you need to get to usually sandbox forbidden functionality such as mmap().

Now on Maemo getting root is usually as easy as running any of the numerous setuid binaries or sudoers-listed programs, so I can understand why it doesn't matter. On other platforms, maybe that's not true. On WebOS at least, _every application_ already runs as root by default, and there was no normal user at all until a recent version.

Now, of course their tools ain't cheap. They're doing a great service to the community IMHO but also getting some free marketing for a tool a decade or two ago would be laughed at.

Note: not saying it is useless; it's as useless as getting a human to do it: they might get it wrong, but "the more eyes...".