I have both done pentests and received pentest reports. My observation is that the perceived severity often varies between the tester and the customer.
Please don't act like the german conservative party:
The CDU [german conservative party] lodged a criminal complaint against Wittmann after she told the party about a security vulnerability in the CDU-Connect election campaign app. (source)
Last week, I tried to register for a service and was really surprised by a password limit of 16 characters. Why on earth yould you impose such strict limits? Never heard of correct horse battery staple?