Others here are correct.  I think it's important to make one additional point.  CMDB is not important AFTER a VR implementation.  CMDB is a critical part of any VR implementation (and a lot of other processes in ServiceNow).  

I'd suggest starting a CMDB Steering Committee to help identify how best to prioritize data sources for your CMDB. After all, your vulnerability scanner is about 100% likely to bring in some devices that you don't have from other discovery methods.  That said, there are also lots of cases where a vulnerability scanner has many results for the same CI if it has many interfaces on the network (think of network routers, for example).  This is especially common on items that are scanned with an unauthenticated scan. A complete CMDB can be a godsend to vulnerability remediation teams who are trying to filter through millions of scan records.

It's absolutely the case where the conversation shouldn't be about whether your CI data from Qualys impacts the CMDB, but rather how it should be prioritized and reconciled (through appropriate rules in the IRE) as compared to other data sources.  It's not a competition between security and IT Ops.  A robust CMDB will benefit everyone.

PS. You may want to consider the Qualys Service Graph Connector as well.  It might be easier to use that than reclassifying a bunch of items that are "discovered" by the VR import process.

If the CMDB is not configured properly, installing the Vulnerability Response application, and connecting with any of the scanners such as Qualys will have the following benefits.

CI coverage

Scanners such as Qualys are comprehensive when it comes to the coverage of hosts. If customers have not configured CMDB yet, installing VR would result in a CI being created in CMDB with enough metadata for almost all hosts.

This gives customers a solid baseline in CMDB that can be enriched later by running ‘ServiceNow Discovery’ that performs horizontal and vertical scanning (to map application services). With IRE, any ‘Unclassed Hardware’ records created by VR will be automatically reclassified by ServiceNow Discovery into appropriate hardware classes (for example, Linux Server) while retaining all the attributes (such as name, FQDN) and relations to IP and Network Adapter records populated by VR application from the information returned by scanners.

Incomplete IP

However, if the scanner returns only ‘IP’ information in an asset, the Vulnerability Response module creates CI records in the ‘Incomplete IP’ table. These assets will not be reclassified automatically when the ‘Discovery’ job is run later. This is because the ‘Discovery’ job primarily looks for existing ‘Hardware’ (or one of the child classes) assets and enriches the metadata.

This also means that there could be duplicate entries in CMDB: one in ‘Incomplete IP’ and one in ‘Hardware’ when the Discovery job is run after running Vulnerability Response integration with one of the scanners.

CI Enrichment

Even if the CMDB partially populated by Discovery, installing VR will help enrich these existing records further with the information returned by scanners. For example, attributes such as FQDN, the name for hardware records and any associated network adapter, IP address records.

If the CMDB is not configured properly, installing the Vulnerability Response application, and connecting with any of the scanners such as Qualys will have the following benefits.

CI coverage

Scanners such as Qualys are comprehensive when it comes to the coverage of hosts. If customers have not configured CMDB yet, installing VR would result in a CI being created in CMDB with enough metadata for almost all hosts.

This gives customers a solid baseline in CMDB that can be enriched later by running ‘ServiceNow Discovery’ that performs horizontal and vertical scanning (to map application services). With IRE, any ‘Unclassed Hardware’ records created by VR will be automatically reclassified by ServiceNow Discovery into appropriate hardware classes (for example, Linux Server) while retaining all the attributes (such as name, FQDN) and relations to IP and Network Adapter records populated by VR application from the information returned by scanners.

Incomplete IP

However, if the scanner returns only ‘IP’ information in an asset, the Vulnerability Response module creates CI records in the ‘Incomplete IP’ table. These assets will not be reclassified automatically when the ‘Discovery’ job is run later. This is because the ‘Discovery’ job primarily looks for existing ‘Hardware’ (or one of the child classes) assets and enriches the metadata.

This also means that there could be duplicate entries in CMDB: one in ‘Incomplete IP’ and one in ‘Hardware’ when the Discovery job is run after running Vulnerability Response integration with one of the scanners.

CI Enrichment

Even if the CMDB partially populated by Discovery, installing VR will help enrich these existing records further with the information returned by scanners. For example, attributes such as FQDN, the name for hardware records and any associated network adapter, IP address records.