Defacement missed by this scanner?

Even Sucuri missed it :o: https://sitecheck.sucuri.net/results/subzerofroyoandcafe.com/index.php
Re: http://killmalware.com/subzerofroyoandcafe.com/index.php
Look at skins hacked in the code: https://oscarotero.com/embed/demo/index.php?url=http%3A%2F%2Fsubzerofroyoandcafe.com%2Findex.php&options[minImageWidth]=0&options[minImageHeight]=0&options[facebookAccessToken]=&options[embedlyKey]=&options[soundcloudClientId]=YOUR_CLIENT_ID&options[oembedParameters]=
Yahoo com abuse: http://toolbar.netcraft.com/site_report?url=http://subzerofroyoandcafe.com

See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fsubzerofroyoandcafe.com%2Findex.php%3Fact%3Dlogin%26redir%3DL2NhcnQucGhwP2FjdD1yZWc%3D

And the scan of customized XSS malware here: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fsubzerofroyoandcafe.com%2Fjs%2Fems_visual_options.js
possibly landing for something like this: --/assets/application-1726b46fe75c21349af9ca74ec8c7498.js
Number of sources found: 135
Number of sinks found: 39

3 errors and 9 warnings on website: https://mxtoolbox.com/domain/subzerofroyoandcafe.com/
For https I get a certificate from website -websitewelcome.com
attacker intercepting the connection - ??? privacy error and a google safebrowsing alert and block…

polonus (volunteer website security analyst and website error-hunter)

Oh and here a brute force or php attack may work as

-SubZeroFroYoAndCafe.com (Powered by CubeCart) padlock icon
-subzerofroyoandcafe.com
Alerts (1)
Insecure login (1)
Password will be transmited in clear to -http://subzerofroyoandcafe.com/index.php?act=login&redir=L2luZGV4LnBocD9hY3Q9dmlld0RvYyZhbXA7ZG9jSWQ9MQ==
Infos (1)
Encryption (HTTPS) (1)
Communication is NOT encrypted
Unique IDs about your web browsing habits have been insecurely sent to third parties.

-subzerofroyoandcafe.com ccsid
d5fb79cb40414a309xxxxxxxxxae2ac1a1445965753

Also consider: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fsubzerofroyoandcafe.com%2Findex.php%3Fact%3Dlogin%26redir%3DL2luZGV4LnBocD9hY3Q9dmlld0RvYyZhbXA7ZG9jSWQ9MQ%3D%3D&useragent=Fetch+useragent&accept_encoding=
which is not defaced with the main page that is: see attached image of the defacement iFrame code

pol