In the past I've always just replied back mentioning that we use CentOS/RHEL which uses backported packages, and include the changelog rpm output for a specific package, i.e:
rpm -q --changelog openssh-server | head -n 50
And that has always satisfied the outdated binary out of date issues.
As an aside, would it be more beneficial if PCI regulators knew about shared hosting? It's one thing to have the server (packages, ports, etc) secure. It's quite another to run an outdated script. I keep all of our servers up to date with the latest packages, Apache, PHP, etc. But I can't speak for every client keeping their WordPress or WooCommerce script up to date.
A better approach to PCI compliance might be to allow server administrators to run server penetration tests, which identifies things like outdated SSH and/or insecure ports and keep that information up to date and posted (certified) with a central body.
Then when randomsharedhoster.com wants to become PCI compliant, they request a PCI scan, the PCI scanner finds that randomsharedhoster.com resolves to XX.XX.XX.XX IP address. XX.XX.XX.XX IP is found to have a recently certified server PCI compliance at the central body storing that information. Now the PCI scan can focus more on whether randomsharedhoster.com is keeping their script up to date, using strong and secure passwords, and storing information securely.
This would seem to make better sense to me. But I'm not sure if the people running the PCI standard realize what shared hosting is.