@cromulus I am not into GitHub, but:
I. Webmail: Roundcube is fixing important security vulnerability quite fast. Currently they are on version 1.2.4 and fixed issues like #5583, #5472, the "vulnerability in handling of mail()'s 5th argument", #5401 etc. Currently MIAB is on version 1.2. (May 2016) or 1.2.1 (?) (Aug. 2016). A regular update of the Webmail client could help mitigate Webmail vulnerability and yes i know it is work. You are right that SSL settings give me confidence that basic security is considered and well implemented.
But when scanning the mail admin page (e.g. box.example.email/admin) the header seems not to be sent by the server or is misconfigured (therefore possible classical vulnerability issues arise: X-XSS-Protection, X-Content-Type-Options and Content-Security-Policy). Same goes for just e.g. box.example.email with even more issues: header setting alerts: X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy and Content-Security-Policy. Those pages are different "entry points". Qualsys SSL check does not check header configurations afaics.
II. I recommend to disable TLS v.1.0 (-tls1) completely as nowadays most users should not run into compatibility problems and doing this is a security plus, as "The bottom line is that TLS 1.0 is insecure and we must migrate away from it."
III. The option to disable Owncloud (more secure fork: Nextcloud) (only) for those who do not sync address book and calendars would be a security plus. Cf.: Owncloud Security Vulnerabilities.
Having said that all with no professional knowledge; you are right that MIAB is pretty much state of the art otherwise and i have a huge respect for you guys doing this. Thank you!