Just to clarify a few things.....
When you have a multi-site installation things get a little complicated when you introduce things like firewall rules in the .htaccess file because a typical multi-site installation has a shared file system (and .htaccess file) across all sites.
This is why for the subsites we have made some of the features which involve modifying the .htaccess file unavailable. As a result, since some of the features are disabled on the subsites, this will also be reflected in the security scores.
Another thing to keep in mind is that if you activate any of the firewall rules from the main site, these will work on the subsites too due to the shared nature of the .htaccess file.
The only caveat of this currently is that if you activate the "Brute Force Prevention" feature on the main site of a multi-site, then this will mean that access to the login/admin pages of subsites will be blocked unless people know the secret url password (or if they have the special cookie in their browser).
So if someone from a subsite wanted to access their login page when the Brute Force feature is enabled, they would have to do the following:
1) First type the URL of main main site together with the secret word:
2) The above will deposit the special cookie in their browser but it will also redirect them to the login page of the "main" site
3) Since they now have the special cookie in their browser the plugin will allow them access their subsite login page. So now can type in their login page URL directly:
I know it's a little confusing but that's how it currently works for multi-sites.
I recommend you leave the brute force feature disabled if you think the above is too complicated.
We will also introduce a better way of dealing with multisites for the brute force feature in future updates.