A few notes about unauthenticated scans against a Linux system:
- such scans doesn’t show that much vulnerabilities due to the availability of security backports like done by Debian
- the version of e.g. Apache might be not exposed at all in default configurations
- when scanning Linux systems you might need to lower the “QoD” of your filter to show more vulnerabilities which have a risk of false positives. See https://docs.greenbone.net/GSM-Manual/gos-6/en/glossary.html#quality-of-detection-qod for some info about the QoD and https://docs.greenbone.net/GSM-Manual/gos-6/en/web-interface.html#adjusting-filter on how to adjust your filter
Also note that Lynis seems to be more like a Tool checking for compliance / hardening / configuration issues (if i’m understanding the screenshots correctly) and is not a vulnerability scanner like GVM so the results might differ on a default scan.
To check policies / compliance with GVM you need to do a few additional steps:
https://docs.greenbone.net/GSM-Manual/gos-6/en/compliance-and-special-scans.html
Note that a few policies / compliance scans like e.g. Linux Secure Configuration - Policy Scan are also only part of the commercial GSF.