What a shame you didn't receive any more responses on this topic.
I am in the same position. I set up and ran the 'Wp Security Scan" and was told the same thing: that my wp-admin folder has no .htaccess file.
Setting up my permalinks is always one of the first things I do (/%postname%/)but it's never created an .htaccess file for me automatically.
Actually, I suspect there is something wrong with the reporting of the security plugin. I have it installed on two blogs, one I have removed the admin user on and the other I have not. Yet in the innitial scan results of the security plugin for both blogs, I given the same result. That is, a GREEN sentence that says:
"No user 'admin'".
Obviously this cannot be the case for both blogs, which makes me dubious of the credibility of the rest of the security report.
I'll write to the creator Michael Torbert, and report back here if I can get a response.