If a client doesn’t support an algorithm, you can’t force a downgrade to it. A compensating control is that the clients are managed and only support the newest algorithms, and aren’t vulnerable to a downgrade attack.

Context is everything. Here, the context is that within this scan environment, it was, in fact, a bullshit finding.