The tool used was our own scanner and it differentiates between package versions and 'upstream' versions. So when saying an older PHP version, it is about the upstream version, not the package version. There were many hosters that hadn't installed the latest security releases of e.g. RedHat, but I only included when they were on an unsupported release.
