Are UIDs/GIDs minor than 100 considered a vulnerability problem or not?

SUSE Linux Enterprise Desktop 10 Service Pack 1
SUSE Linux Enterprise Desktop 10 Service Pack 2
SUSE Linux Enterprise Desktop 11
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10 Service Pack 1
SUSE Linux Enterprise Server 10 Service Pack 2
SUSE Linux Enterprise Server 9 Service Pack 4
SUSE Linux Enterprise Server 9 Service Pack 3
SUSE Linux Enterprise Server 9 Service Pack 2
SUSE Linux Enterprise Server 9 Service Pack 1

Customer is worried about user and group ids that are minor than 100 being a vulnerability problem

The numeric value has no special meaning at all (except for root and nobody in some cases). It doesn't matter at all whether e.g. the 'at' user has uid 25, 666 or 4711. Also 100 is no magic value. Just legacy from former timers when system users were not created dynamically. Nowadays the uids for system users is allocated dynamically in the range defined in /etc/login.defs.

Customers should not perform such invasive changes to the system. In the best case it doesn't help anything, in the worst case it causes trouble due to broken permissions.

Regarding to the group membership ids is not quite correct either. It's of course correct that system users like 'at' or 'haldaemon' are member of special groups. Normal users however should not be member of system groups on SUSE. Device permissions on SUSE Linux Enterprise 10 are handled by resmgr (resource manager client) so there is no need to be member of e.g. 'audio' or 'cdrom'. Exception here is 'video', you need to be member of that group if you use proprietary video drivers. Being member of the 'dialout'  group is needed for users that should be able to control dial-up connections via smpppd (SuSE Meta PPP Daemon).

100 is no magic value either (/etc/login.defs), in fact 100 is the gid of the 'users' group where every (non-system) user greated by useradd is member by default.

Check /etc/login.defs file for details about the minimum and maximum values for UID/GID