This is a BS audit. All they do is look for CVEs and say PHP version blah has these vulnerabilities but Red Hat back ports all security vulnerabilities into their version of PHP and apache and hence they make their way into Centos and us and everyone else based on RHEL. This is a audit firm who doesn’t understand backports. Have them prove a vulnerability exist with a exploit.