Why does our vulnerability scan report the SMG has vulnerabilities in the Apache/HTTPD web server?

The SecureMail Gateway versions 4 and 5 are built on a hardened CentOS Linux operating system. The software components of the operating system, like the Apache web server (HTTPD), the mysql database, the openssl encryption libraries, etc. are regularly updated via 'backports' to the original version. Although the main version number reported by the software never changes, the software itself receives regular updates by our Technical support via patches. The updates are released when major bugs or security vulnerabilities are discovered in the software components.

The problem with this technique is that it can create 'false positives' when vulnerability scanning tools only look at the reported version number and do not ACTUALLY CHECK if the system is vulnerable. For instance, many scanners will report that the SMG's web server has dozens of vulnerabilities from as far back as 2013, and that it should be upgraded to at least httpd 2.2.XX. These are most likely false positives if the scanner is simply looking at the reported version number.