Good one, Rob ... I'm planning on Bringing This Up soon in an appropriate setting.

It happened also to me on other major cloud vendors instances (Amz Linux...).

Scanner flagged it but it was fully patched due to version unchanged.

The problem is that many scanners are "generic", they try to apply the best heuristics given the surface available, and this translate in many instances that they just parse version protocol headers.

So, one have to check if it is a false positive or not.

And usually in my experience they produce a lot of false positives due to the heterogeneity of the task and OSes.

Still the vendor did their patch, so it is a grey area.

I concur though that bumping the version would make life easier to the security team from the start.

IBM has the same attitude when it comes to AIX.  Although they run an even older version there.  I have a different case->idea pair for that situation.

True, I can use their response to post to the scanning report but is that what should be done?

Apparently it's a scary thing in the open source world to actually upgrade.

Rob, there are complete packages on the OpenSSH website for several architectures, but not IBM i.
That means IBM compiles from source.
And typical from platform to platform is that there are little differences, especially where certain files are located.
So IBM engineers must modify, compile, install, and test their build of OpenSSH.
And since it is so important, they of course have to read the latest changes from the OpenSSH community and watch out for backdoors. It does happen, and did happen last month in an intermediate release of OpenSSH due to the back-dooring of xz, a sub-component of OpenSSH.
So it's not always simple and straightforward.
My opinion is that OpenSSH is mission critical in nearly every shop now, so perhaps the priority of keeping up with the OpenSSH community and changes should  become elevated a tad in priority, and I will express that opinion politely when asked.