For services that use Security Metrics, it **does** look at the software level from an external point of view. S.M. passes potential malicious XSS, SQL injection, and other queries to the site, and if the data is not filtered properly, adds to the risk score.
Sometimes it's an internal server software, not your cart. For example, some versions of PHP contain security holes and if found, this will add to the risk score. You fix it by upgrading to the suggested version of PHP.
**Most** of the scripting risks are managed by properly filtering input. The upshot of this is it makes your programs more secure, you learn to properly filter input, and this can't be anything but a good thing.
Don't know the direct answer to that, but I do know that sites that actually store credit card info are required to be PCI compliant on a higher level. The questionnaire is used to determine what level of PCI compliance you are required to meet as a vendor.
I'm beginning to think Security Metrics is not "perfect" and is giving some false positives based on unrelated non-security issues. Here's an example [webmasterworld.com], the basic question asked there is still unanswered.
Even so, it's helped my clients to have more secure environments and made me a better programmer, at least, a little. :-)