It’s definitely possible to create a custom SQL report that scopes by asset groups (or various other types of data). I’m not sure you’d be able to scope that asset group the exact way you want, though.
I kinda talked about this in this post, but I don’t think there’s a way to be 100% certain that a vulnerability/vuln solution is a patch versus something like a config issue. You can filter to a degree based on solution type, which can be things like “PATCH” or “ROLLUP” or “WORKAROUND.” There’s also vulnerability categories for further filtering. You can see which ones exist if you go into Scan Template Configuration and then scroll down to Vulnerability Checks. The query in the post I linked shows how that filtering is done.
I hope that helps somewhat, but if not maybe you can provide some more details and we can try to figure something out.