How Can I See What Exactly Is "Vulnerable" On My Site?
When you open your connected iControlWP sites summary page, you may find a site that contains known vulnerabilities.
If you open that particular site to manage, you will be able to see a list of all updates currently available for that site and in all likelihood one or more of your plugins/themes or even WordPress itself will have an update available for it.
You can immediately update the affected asset from there.
However, if you cannot see any vulnerable assets listed under the "Updates" tab, then there isn't yet an update available for it.
Read here on how WordPress Automatic Updates system works.
To review the vulnerable asset(s), check the Plugins and/or Themes tab. The affected asset(s) will be highlighted.
Here is an example of the site with plugin vulnerability when update is not available yet:
What if there's no update for your affected asset?
Then the decision is yours to make on whether you should continue using it, or replace it with an alternative.
Important: If your site is running a "vulnerable" WordPress version ( site shows WordPress Core vulnerability ), that means that there is a discovered vulnerability for that version (i.e. 4.9.4, see here) but WordPress.org hasn't released an update for it yet.