1) It's possible to fingerprint a network service besides just reading the version string to better identify if there are any outstanding vulnerabilities.
2) Most exploits do not need to damage the services or systems.
3) The whole point of a security scan is for the good guys to identify problems before the bad guys do. If that means causing a DoS incident to a customer to prove they are running running vulnerable software, that's a much cheaper
4) Customers can schedule security scans, so off-hours, maintenance windows are easily selected.
5) The cost of widespread credit card fraud is quite significant, too. A company could make a whole business model out of being more secure, and giving their customers lower fees or better rewards due to the decreased fraud from vulnerable companies.