False positives are not so bad. I can go through search through over 100 error messages in an hour. The next time an RC1 kernel is released I ignore all the messages I checked last time.
If a tool prints 1000 error messages with a 99% false positive rate it would take me 2 days to find 10 bugs. Of course, it is dreary work, but the bad guys are willing to do it.
Blatant Self Promotion: smatch takes about 4 hours to check a kernel on my eee. Smatch has an array overflow check but it sucks. I will improve it to find the bug described in the article.
Basically, once you understand the possible values of variables it is easy to check for things like this. Smatch tries to track all the possible values at any point. Once you have that, looking for bugs is much easier.