Some docs have to be updated i think ;) https://www.virtualmin.com/documentation/security/pci
See some info for that here. https://linux-audit.com/linux-systems-guide-to-achieve-pci-dss-complianc...
So yes or no needed updated docs version and probably a sticky part in forum somewhere.?
Maybe some likes a extra hardened version more expensive audited of a licensed and PCI complaint virtualmin out of the box. Virtualmin themselves can maybe if enough intrest provide such with them over for example https://cisofy.com/lynis-enterprise/ they are nice guys don't know