Found the issue – you must remove them from the Domain Admin group. Deleting the User account does not clear the vulnerability. You must remove them from Domain Admin – then the vulnerability clears.
So even a deleted account stays in the vulnerability if it was in Domain Admin when you deleted it.