The gravest warning a pen test report could contain are the words “The host may be vulnerable to remote code execution”. It is hard to know what that immediately means. Did they get system access on a host? Nope. Was there a public exploit available for that version of software that enabled remote code execution? No again. So why would someone make such a vague alarmist recommendation?
In this case study, the pen test report writer’s logic was that even though there was no public exploit available for that version of software, someone somewhere might have developed one but . . .