If you've connected your site to Cloudflare, run_test_23() will throw a false positive, because the server header returned is 'cloudflare-nqinx', as opposed to 'apache' or 'nqinx' which you're currently looking for.
This could be fixed by changing the code in run_test_23 (line 858 of securitycheck.class.php) and replacing:
preg_match("/^(apache|nginx)$/i",$response['headers']['server']) === 0
preg_match( "/^(apache|nginx|cloudflare\-nginx)$/i", $this->response['headers']['server'] ) === 0
There may be a better way to do this, but I needed a quick hack.