[runlevel1]

You've listed a ton of sites as having some security misconfiguration (OWASP A05:2021), but haven't given any further information on how you've made that determination.

Given generic external scanners propensity for giving false positives, I'm very skeptical.

[Aachen]

This. As soon as you see "number of vulnerabilities it contains", you know it's bullshit. If it were that easy to spot legitimate bugs, the authors would mostly already have fixed them. Without human verification, probably somewhere between 950 and 995 out of 1000 detections are bogus. Also OWASP has become such a meaningless buzzword, as if it's the only web bugs that matter, or as if it's a well-defined set with clear boundaries, let alone testable things (direct object reference / missing authorisation, good luck defining a rule for that, in general but especially with public APIs). (My employer is getting more corporate and guilty of this as well nowadays: trying to please buzzword-scanning customers by bringing up OWASP Top Ten in every web report no matter how relevant.)

I clicked because I was indeed curious how they'd rank, but this being the first point tells me that no sensible ranking could be found

The only objective metric in the set is response time, but anyone would agree that this isn't the only thing you use to select what api to use