Those services will be running as root on 99% of GNU/Linux distributions. This tool is useful to understand the level of hardening that has been applied to a systemd service, but the vulnerable or insecure label are utter nonsense.
So what to do about this? I am sure it is not good manner to run all these services as root
Yes, it would be better to not run them as root.
What you could do about it is do what I have done, for example, with dhcpcd. Spend a couple of weeks studying what the program does (which files it needs with write access, which as read-only, whether it opens network sockets, configures the kernel via netlink, etc.) and which capabilities it needs (if they exists), then try to harden it, add workarounds using polkit or sudo if needed and make sure you don’t break any common workflow.
Then, open a pull request in Nixpkgs and wait for reviews. And if it gets merged, go to the next service in line.