I have tested the FreePBX web interface and it seems to be affected by a lot of security vulnerabilities due to the fact that it uses an end-of-life version of PHP.
Well, first of all, you have to know how these scanner tools are working. Some of them just operate on the version string - which is quite misleading on LTS distros like RHEL and CentOS (CentOS is built from RHEL). LTS distros fix (security-) problems by backporting the fixes to existing old versions.
Example: apache 2.4.6 and CVE-2017-7679. This is fixed in RHSA-2017:2479. This errata shipped httpd-2.4.6-67.el7_4.2 - my actual installed version is httpd-2.4.6-97 - so this finding is definitely a false positive.
You can find all fixed CVEs in CentOS here and you can verify, if those versions are installed on your machine.