Qualys addresses various vulnerabilities of an OS patch as a single QID. As an example, I mention the recently released QID 91563, which combines several CVE numbers (CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, CVE-2019-1223, CVE-2019-1224, CVE-2019-1225, CVE-2019-1226).
As I understand Qualys, the QID is not recognized as fixed until all single components of the QID have been handled, even if all but one have been removed.
If this is confirmed, I consider it a weakness in the system, as it is not possible to report on the individual components of the QID.
I am sure that Qualys can give me a satisfactory answer here, with which I can dispel the concerns of my customer...