A human being.
Vulnerability scanners generally look for open tcp and udp ports. Say a Cisco switch only allows ssh (tcp/22) and restricts that via ACL on the vty line.
A typical vulnerability scanner may say that device is very secure. Never mind that your IOS is subject to lots of security-related bugs that may manifest if you enable any other services in the future (ntp, snmp, https etc.), Never mind that you aren't sending sylogs anywhere and if you are you have no people actually analyzing the received data. Never mind that you don't have any network access control (a la 802.1x and/or ISE) and there your switch is just an open invitation for intruders to connect to your network.
Get my point?