The problem is, the libraries and SDK used to build the app will have had vulnerabilities for sure. Same for the underlying image (unless scratch / distroless).
We run extensive vulnerability scanning in our pipelines, and Go libs occasionally pop up. The Go SDK also had multiple security fixes in the last year.