> As someone running a company, I get 2-5 unsolicited "vulnerability reports" per week. Half of them are an LLM finding some bad CSS on our framer splash page. The other half I assume are an extortion attempt so we just mark as spam.

I don't think that is unique to the LLM era. The company I work for has been getting some form of spam vulnerability reports years before LLMs were a thing. Often similar to what you mention about 'bad CSS'.

Maybe the volume has increased a bit, but we've added in a filtering solution and I'm more distant from the reports now, so hard to be sure.