So, I'm not sure I exactly followed what the intent of the response I received was other than to tell me to go through the CUCM Security Guide, but I thought I would provide an update to this thread for anyone who might find the information useful.
We have Secure and non Secure SIP trunks but that does not appear to have been the issue as none of these configurations were changed but the scan finding has been corrected.
Our secure SIP trunk profiles all use secure SIP profiles with TLS as the Inbound and Outgoing Transport Type and Device Security Mode set to Encrypted.
The issue appears to have been that we had several endpoints configured with non-secure device profiles. As soon as we changed all of our device profiles to a secure version the problem cleared.