In the included screenshot, you can see the two issues Defender has picked up.
In the first, it says there's a vulnerability in WordPress 2.3-4.7.4 and that I'm on 4.7.5. Where it says "This bug has been fixed in version:" there's no version information. I take this to mean that Defender thinks there's a problem, but can't reconcile my core version as being out of range for the vulnerability. So there's no suggested fix.
However, with the second issue, it says there's a vulnerability in the Divi theme and that "This bug has been fixed in version: 2.6.4"... and it correctly identifies that I have 3.0.46 installed. So I don't know what's happening there.
I could mark these both to be ignored, but that wouldn't fix Defender or prevent it from falsely reporting vulnerabilities for versions of WordPress core, or plugins and themes when I don't have a version installed that's affected.
Hopefully this can be identified and fixed in Defender.