It really depends on how the scanners are actually checking for these things. In my experience, scanners either look at the initial version and call it vulnerable (without considering backporting), or they look at the direct NEVRA of a package (e.g. from RHEL) and use that as the absolute baseline meaning if it doesn’t equal it entirely, you are considered vulnerable.
As an example of the above, look at Rocky Linux 8. The httpd package is httpd-2.4.37-56.module+el8.8.0+1284+07ef499e.6 while RHEL 8 is httpd-2.4.37-56.module+el8.8.0+18758+b3a9c8da.6. A scanner could look at the the Rocky package and say “yep that’s vulnerable” because it does not understand the nuance of dnf modularity.
It really depends on how these scanners are actually “scanning” for these things. It is not uncommon for it a scanner to say RHEL is fine but Rocky Linux is not.