The rating is an F because it supports SSL2. Yet, they didn't show a single example where it permitted an SSL2 handshake or connection.
Every email server supports SSL2. The real question is does it actually permit SSL2 connections. Hell my server "supports" SSL2, but I have it connections disabled in the configuration. This security rating is just a load of political crap. Everyone picking on poor ol' Hillary for using a private server. It must be weak because it's not based at the State Department. Because we all know the best and brightest computer nerds work for the Fed?
Now given what I see there from this scan, she's using SHA-1 for signatures. Definitely not best practice. I'd rate that server as a C or a D. The server appears to be an IIS server. A hardened Linux server would have been the way to go. Just because it's not a guvmint server doesn't mean it is automatically weak. My server gets attacked all day long and hasn't been hacked. Sure, I'm not a big target either. I once conducted an experiment to see how long it would take for someone to hack my Linux system. So I put one out there, and didn't patch it, did a minimal security setup, like you might get from a Linux Servers for Dummies tutorial (there are plenty out there). It took 4 months for my relatvely unknown server. But that was years ago. I haven't been hacked since, and no that is not an invitation to try. I get DDOSed on a semi-regular basis. Not much I can do about that, other than what I am doing. I haven't got a 1000 servers to offload attacks to.
In the end, a well configured and maintained server stands as much of a chance of being secure as any server out there, save perhaps the DOD. Bigger is not necessarily better.