Many security audits use a long list of best practices as a starting point. VNC is one of those checkboxes (protocol flaws, lack of brute force protection, default blank passwords - all from early days and long since resolved in major distros), so you will get something back like
Issue: VNC running on system XYZZY
Best Practice: Remove VNC
If you need the utility, you'll need to provide the analysis showing how those early issues with VNC no longer apply or are mitigated. In a previous company, I did this a few times by requesting the reason for VNC being on the list and then point by point showing how these didn't apply or were mitigated in the version/environment/configuration we had it in. Much of this information to do this you can pull straight from the documentation of your distribution.
Have fun doing this over again at subsequent audits also :-p