At GitHub we're pretty proud of the scan results from CodeQL. Currently, 70% of alerts flagged in PRs are fixed (rather than marked as a false positive or won't fix). We think we can get that number up to 85%+ as we gather more data and iterative the queries (which are all open source).
Hmm, can you please share more details about this data: what kind of vulnerabilities you're finding, what does fix mean, what is the sensitivity of the analyser (flow, procedure), what are the underlying abstractions regarding memory, concurrency, etc? From the demos so far it's hard to see past a standard taint analyser.
70% precision on a static analyser is very high for a general purpose analyser unless you have a lot of missing vulnerabilities. The static analysis/formal verification community would be definitely interested in getting more details about your experiments.
