CentOS backports security fixes and it's not always easy to find whether a particular vulnerability has been remediated by just looking at a version number. For reference - The Package Versions - Why our package versions are (almost) never bumped up?
Recently a QID (105761) showed up on our reports where it's now indicating that Python 2.6.x is end of life. It is correct that Python 2.6.x will no longer release security or maintenance patches (Python 2.6.9 Release | Python.org ) but my quick research shows that vulnerabilities that surfaced on Python 2.7.x, CentOS backports them to Python 2.6.6 on CentOS 6.9/6.10 systems.
Can you please share if Qualys takes CentOS backporting in to account before raising vulnerabilities through the VM module? If so, how does it exactly do that?