Another report forwarded to me by a client saying "your website is insecure because it accepts outdated encryption protocols" - naturally passed along to them by third parties.

@stefano sounds like you are missing something. I’d run my eye over it again and use some static scanning tools to see what is in the http headers and what a security scan can learn. Sucuri have a decent scanner for free on their site.