If you use a custom image (Dell, Hp, etc...) you should configure VUM to download customized updates, and follow those. If a Security Update comes out, before applying it, always check that the supplier of the custom image has released the release.
When you scan the host via VUM, wouldn't VUM check which ESXi image is running and display the correct applicable missing updates/patches?
Obviously it doesn't check, but you have to follow the personalized image. If there is an update that does not belong to the supplier, you must not do it unless a note is issued directly by the supplier (check on the supplier website). It happens that if you apply a non-customized update on a custom installation, you lose the customizations made by the supplier. This also happens with drivers.
"Obviously it doesn't check"
I believe at no point does VUM warn you that the critical security patches are not applicable to vendor custom ESXi images.
If this is really an issue a warning should be generated as right now, you can apply critical security baseline, scan and re-mediate applicable patches via VUM irrespective.