... they scan daily for any vulnerabilities.
As a developer, the whole idea of being able to simply "scan daily" for vulnerabilities is a fantasy.
If it were true, Microsoft would hire McAfee to "scan" Windows, and fix everything for good.
Vulnerabilities may exist on private URLs that neither McAfee nor the site owner are aware of. eCommerce sites use callback URLs for Google Checkout, PayPal IPN, and many credit card gateways (Protx, some Cardinal stuff), that can be spoofed by knowing the URL and having knowledge of the source code. (Many carts offer source-code as an option).
I'm only pointing out that spending $11k/yr for a "daily scan" is rediculous. They could make it an hourly-scan, or even every 10 minutes, and it wouldn't change the attack vectors.
Well-known URLs, or open ports, are not the problem. It's the "not-well-known URLs" that someone could use to place fraudulent orders, mark payments as "cleared", or upload spoofed SKUs at low-prices. McAfee cannot detect this, even for $11k/yr.