I also suggest opening up a ticket. If you the exact "CVE" numbers from
the Qualys report this will make a HUGE difference.
I recently had a ticket with IBM and their old obsolete bind that Qualys
reports quaked about. It was going nowhere until I added the exact CVE
numbers to the PMR. That got the ball rolling. It still took them months
to resolve this but they at least admitted they needed to address those.