This reminding me of pointless PCI scans that flag you for using a vulnerable version of Nginx or a VPN software because that version has a CVE on record. This ignores the fact that the distro version is patched for the non-exploitable CVE.

Oh, one of my absolute favorite things is setting ServerTokens ProductOnly, so that scrubs will freak right out when they see their canned vuln scanner get bug-eyed and basically scream that the server might be vulnerable to every possible exploit ever written.