Having a good score on securityheaders.io does not mean your system is secure (e.g. unpatched CVEs, insecure server config, etc) but having a bad score does tend to indicate that the devs are probably not paying attention to best practices
That's nonsense, it simply means that the devs haven't implemented all the headers that Scott feels should be there - two of which, by the way are still very much experimental, but he still marks you down for.
You might notice that www.google.com only scores a "C" on Scott's site, but that doesn't mean they are shoddy or third rate, it just means they've chosen not to implement CSPs etc.
if they haven't bothered to set CSPs or the HSTS header (on an e-commerce site which should be all-HTTPS all-the-time)
The HSTS header serves no useful purpose if your site / server only responds on HTTPS, and has no HTTP bindings.
As for Content Security Policies, they are fine if you control all of the content appearing on the site.
It becomes impossible to create CSPs that don't inadvertently break one or other tag manager, tracking pixel or whatever.
I'm not advocating that this is right or proper, but it is the reality of hosting e-commerce sites on behalf of third parties.
It would be great if we could dictate to clients that they must only use content providers we approve, or not use third-party script etc, but we wouldn't have a business for very long if we did that.