When you are presented with a long Qualys report PDF, you are expected to work down its long list of vulnerabilities.
The task can be long and repetitious.
Most network device vulnerabilities are associated with ssl certificates or ssh cryptographic settings.
I would judge how good a vendor is by how it addresses the known vulnerabilities via firmware update, easy of implementing solution, and future product road map.
How do you check if you have addressed the specific vulnerability?
I found the following tools extremely useful.
nmap (port scan and ssl-cert audit)
ssh-audit