One of the security vulnerabilities that security scans can detect is a remote management service accepting unencrypted credentials, such as FTP. That happens when services that use basic authentication (e.g., FTP) are enabled.
The standard recommendation is: If possible, use alternate services that provide encryption, such as SFTP. Using strong cryptography renders all authentication credentials (such as passwords/phrases) unreadable during transmission.
By default, FTP is disabled in Lithium installation. It is only enabled when the client requests it. SFTP is available to be used if you wish to do so. If you need to use FTP, you must adjust the account and directory access to make it more secure.