Some websites have security issues

I know that the notification from Defender (WordPress <= 4.9.4 - Application Denial of Service (DoS) (unpatched)) was due the update issue from Wordpress itself. The strange thing is that this notification appears only on 3 of about 10 sites. Now Wordpress 4.9.5 was released and everything was updated automatically. But the notification still appears in the backend and in the hub.

1. Why does the message still appear after the update to 4.9.5?
2. Why does it appear only on some sites?