Is there some special configuration to get Qualys to recognize that oracle dbbp bundles are equivalent to a psu as far as the vulnerability check goes. DBBP patches are supersets of PSU patches (Metalink docid 756671.1).
The choice of applying DBBP vs CPU is not really optional. Some environments require DBBP (engineered systems, ...) and also mandated by some software vendors (SAP for example) in all environments.
DBBP and PSU are mutually exclusive so there is no easy way to get around this check.
It would seem that Qualys can easily build some patch equivalence tables when then scan through the opatch output (I'm assuming they use opatch to list the patch repository). They can also go one level deeper and examine all of the bugs fixed since the same bugs are listed in both.