Even though vcenter port 9443 is used by deprecated vCenter client, the vulnerability is still there and need to be fixed.
There must be somewhere to add the HSTS header for web page using port 9443 as well as port 5580, we don't know where is it though.
Not everyone is willing to upgrade to vCenter 7.0 just for this.