...Receiving a 200, plus the server OS version, is perfectly safe, and a waste of their neurone power.
(As my host concludes.)
Or is that naive?
Your host is a lazy fool.
The same mentality that allows headers like "Powered by PHP" that hackkers scan to find sites to attack.
I don't have a clue why they're looking for this file, it could be as simple as someone building a map of domains running Apache vs Windows.
Could be completely benign but so are all things until they turn malignant.
Just because you're not vulnerable today doesn't mean they aren't cataloging in advance so they can infect as rapidly as possible before the patches are installed when the next big opening presents itself.
IMO no site should indicate what server, OS, software, or language they're using and do as much as they can to mask it all to avoid being on the next list of targets when the next vulnerability comes out.
However, with all that said, worrying about this file alone is really kind of silly because if there was any Apache vulnerability, I wouldn't even bother checking this file, I'd just attempt to infect the site because the bulk of the web is all Apache in the first place.
It's an interesting puzzle but not really worth all the effort to stop it unless your headers also don't day Apache, another clue.
Plus, if they know the default server IP they can probably get the default Apache page, or that icon, by totally bypassing your .htaccess file.
Therefore, unless you have a dedicated server this is all just a big exercise in futility as you'll be a target one way of the other. Mostly because none of the other sites on your server care about security so if you site protects itself the others on the shared server are still allowing all sorts of things that put the server at risk.
Unless the hosts make it a site-wide uniform security policy that cleans up all TELLS used by hackers, then its a waste of time.
There are more security conscious hosts that will be happy to take your money ;)