How can I hide Moodle version details from being detected by scan tools like ImmuniWeb, especially when it still reveals version details even after adjusting headers to hide the information?
It looks like they are using fingerprinting rather than any specific piece of data to analyse that information. That might be using JS library versions and page structures as part of this which is not possible to hide. This is a bit of a guess without knowing more about how they are fingerprinting.
For the reasons Brett mentioned, among others, there's probably no way to 100% hide this. One thing to check would be the docs on hiding internal paths, which helps remove access to some of the information that might be used. You can find the docs for Apache here: https://docs.moodle.org/en/Apache#Hiding_internal_paths - there's also equivalent docs on their own pages for other web servers (eg nginx hiding internal files).
Using the latest version of Moodle won't help achieving PCI/DSS compliance. The reported version (4.3.8) is fine to use as long as your server is properly patched, configured, and secured with multiple layers of protection such as web application firewalls, IDS, IPS, honeypots, proxy servers, and other scan/attack prevention mechanisms. Moodle is simply a web app that excels at what it was designed to do, and it has been doing the job well for over 20 years. 
On the other hand, a poorly configured, unprotected server will allow scanners to identify back-end software in detail, but this isn't Moodle's fault. Once your server is properly configured, any "wrong" step by a scanner should trigger your defense mechanisms to block malicious IPs, so there's no need to "hide" anything.
But if you really want to try hiding this information, focus on writing rules that block direct access to (.txt) and (.md) files. Good luck!
On the other hand, a poorly configured, unprotected server will allow scanners to identify back-end software in detail, but this isn't Moodle's fault. Once your server is properly configured, any "wrong" step by a scanner should trigger your defense mechanisms to block malicious IPs, so there's no need to "hide" anything.
But if you really want to try hiding this information, focus on writing rules that block direct access to (.txt) and (.md) files. Good luck!
To be clear Moodle does not claim PCI/DSS complaince in any way. That is a standard that applies to credit card payments industry and is a very different thing to what Moodle is used for.