TLDR: Scan your systems first and build & configure them to be secure. Then continue scanning your systems for vulns and signs of breaches, and build a secure lifecycle.
The scans demonstrate that someone, somewhere, is trying to learn about your systems ostensibly to break in. Assuming that you (and your organization) value the servers and/or what they host, you should find problems in your systems before the bad guys. Scanning is relatively cheap and easy, and will let you find low hanging fruit just like the bad guys. If you find and fix issues faster than they can use them against you, you're in good shape. If you can detect breaches, isolate and recover before the attacker gets sensitive info, you're still on good shape.
The thing is, scanners are all different, and no scanner is panacea. This means that (a) the attacker's scanner may find issues yours doesn't and (b) a dedicated attacker may use more advanced techniques to break into your systems. This means you need to balance the value of the assets against how much you need to spend protecting them. You will need to develop a lifecycle that ensures systems and software are sufficiently secure for your needs, and are maintained to remain sufficiently secure.
- You may decide that your systems are entirely 3rd party provided, by a hosted provider and that you trust the provider to keep it secure. Make sure you have insurance and contracts that shift liability away from yourself.
- you may exclusively use 3rd party software in your own environment, or your own systems within a hosted environment, and decide that you trust the manufacturers to announce and fix vulnerabilities. You may need an inventory of components and a way to monitor for new vulnerabilities, and a process to periodically push and test patches while maintaining your own up time. You may also need to introduce intrusion prevention and intrusion detection systems, malware scanning, audit processes, etc.
- you may write your own software, in which case you may want a secure development lifecycle, including things like web app scanning, malware scanning, static code analysis, fuzzing, qa security testing, penetration testing, threat modeling, etc.
- you may decide that you really don't care what happens to the system, even if the attacker takes it over, kicks you out, and starts serving content that could get you thrown in jail. In this case, you wouldn't need to do anything.