Rapid7 Vulnerability Integration was failing to import the data and the Vulnerability Data Source Import Queue entries were in the 'Error' status with the below error message:
Encountered error during processing: Error: Attachments not deleted
The scheduled job 'Scheduled Vulnerability Data Source Processor' is responsible for deleting the existing attachment from the data source and copying over the new one from the queue entry.
This job's 'Run as user' is VR.System.
Although the user has the sn_vul.vr_import_admin role, if the import_admin role is missing, the user won't have the right privileges to delete the attachment.
Remove the sn_vul.vr_import_admin from the VR.system user and add it back.
This will make sure the import_admin is inherited correctly and will make sure the user has the right privileges to delete the attachment.
If above doesn't resolve the issue, then check for ACLs on sys_attachment table. My experience - one of the customer has custom ACL on their instance that was restricting the delete.