Truth. A stripped down configuration of that running nothing but personally-written code on the backend would pretty much render those issues moot (as in "completely mitigated").

Considering how lacking in detail the reports were, I'd probably have just dismissed this man's claims as "AI slop". That he was relying on nmap to tell him the version of something that is easily discovered using openssl s_client (because those HTTP response headers are perfectly human-readable) is kind of telling in and of itself.