I think there's an easy way to distinguish "likely problem" from "likely false positive" in this case. If a shell loops over one value AND that value is the name a previously-assigned variable, that is likely a variable name missing its "$". Otherwise it's plausibly a loop over 1 value (which is a little odd, but not insane and such a construct is less likely to be an error).
I doubt such a construct often leads to a vulnerability. It seems like the sort of thing likely to be detected in practically any testing, since it's deterministic & doesn't depend on attacker input at all. --- David A. Wheeler
