That’s the key word - alleged. If the scans cannot tell which versions of the software is being used, then they cannot tell if there are any vulnerabilities. Even if they do know, the scans do not also say if the mitigation or patches for those vulnerabilities are in place.
I would say the best move would be the following (and I am not totally a massive fan of security through obscurity):
- Block any and all ports that are not required, even for the provider’s remote site. If the provider doesn’t require access to a port for the equipment to work, no point in having it open.
- Prevent Apache and PHP from reporting at least their version numbers and, if possible that they are being used.
- Have other safeguards, such as DPI or Fail2Ban or whatever else you deem sufficient, to protect your infrastructure in place.
That should solve a massive part of that list.
I know about quite a number of sites which are running PHP 5.4 or 5.6 which are PCI Compliant because they have sufficient things in place to satisfy the requirements.