Is it really a failure if X-Frame-Options header is missing on a blog? If it is a failure then why not just make it not possible to use iframes at the browser level.
Without context, this service misrepresents the real security of any given site.
To be fair, the challenge of nearly all security assessment tools, including Security Headers, is they don't understand the context of what they are assessing. X-Frame-Options on a blog isn't a big deal. X-Frame-Options on a SaaS app can be. That's why blindly scanning something and then saying "look at all these vulnerabilities" is a pretty poor way to assess the security of a service.
Without context, this service misrepresents the real security of any given site.