Linux Kernel and Apache Versions - CVE Issues

Hi there

Please do correct me if I'm misunderstanding any of this by the way!

We have a quarterly vulnerability scan on our Sophos XG IP addresses. Usually, this works without a hitch and we get a clean pass. However, since updating to 17.5 MR10, we're getting a massive list of CVE issues dating back to 2011 in some cases. This is failing our testing. We use the WAF to host several websites.

The main issue appears to be that the Linux Kernel on the XG is version 3.14.22, which dates back to 2014! The version of Apache is 2.4.10 - again, dating back to 2014.

Is this normal? Why is the version so old? Does this pose a security risk?

Thanks!