Hi,
I still believe that leaving it as is is a better option than disabling HTTPs connection. I know that it will "resolve" one of your issues but it's not right. It's just dump following of recommendation from audit.
As Samuli mentioned I would raise a ticket with SAP. I would ask how you can control SSL cipher suites used by sapstartsrv. Before raising a ticket I would double check what cipher suites are offered by standard HTTPS port used for serving various web based services and port 5xx14. Is it possible that your 443 port is actually open on web dispatcher or other reverse proxy and hence it gets config from somewhere else?
Cheers