Most vulnerability scans inflate their findings with non-security stuff because it brings more business and false positives are always well received by management (less by those who actually has to evaluate the results technically). Better safe than sorry, they say. However, I have hard time seeing how it is a security vulnerability. Discovering IIS server is easy anyway, unless you take very special precautions which 99.999% of people never do, and any automated exploit tool that wanders on the site would do that discovery anyway, so would any focused attacker. So this specific thing is not nice, it looks unprofessional, it may annoy or scare the users that accidentally type a wrong thing, but I do not see how it's security related.