We had similar issue. Some of the AD users were not syncing. We came to know those user's 1st name and Last names were empty in Active Directory user account properties.
A bit old but what I do is a workaround for security folks. Disable Web Access on Phone Configuration page for the specific extensions or in Phone template for the specific model. Then there would be no vulnerabilities in scan results of VA scanner. ...