To be fair, the challenge of nearly all security assessment tools, including Security Headers, is they don't understand the context of what they are assessing. X-Frame-Options on a blog isn't a big deal. X-Frame-Options on a SaaS app can be. That's why blindly scanning something and then saying "look at all these vulnerabilities" is a pretty poor way to assess the security of a service.
