Lack of X-Frame-Options without a well-defined risk

Although some automated tools may flag it as such, the absence of the X-Frame-Options header is not always a vulnerability. The absence of the header may enable clickjacking attacks, but this is true only if the affected page exposes a simple UI where the attacker could accomplish something security-relevant with one or just a couple of well-placed clicks. 

Conversely, lack of X-Frame-Options on a Youtube 404 page has no security implications, at least until shown otherwise :-)

When reporting bugs related to clickjacking, please put together a simple proof-of-concept attack and take a critical look at what's at risk and how likely the required UI interaction would be. If the proposed attack scenario turns out unrealistic, your report will probably be rejected.