According to Bandit's documentation, importing the subprocess module is considered a low security issue (B404). Unfortunately, it does not provide alternatives or explanation why. Thus, I have 2 questions:
Our team decided to turn off the B404 warning, because as you pointed out it is not useful.
We have B602: subprocess_popen_with_shell_equals_true and B603: subprocess_without_shell_equals_true both turned on, which are where actual security issues could happen.
As noted in the Bandit blacklist imports documentation, this is a low severity issue. It is just a heads-up for anyone who is not aware of the potential security issues related to the library.
You can suppress the warning by excluding it with # nosec B404 on the corresponding line, or by changing scan behavior in your Bandit configuration.
