Fixlet 72160402, which checks for CVE-2015-8704, returns a false positive for AIX 7200-00-02. It’s checking for an interim fix, but the fix was bundled into service pack 2.
I think the fixlet is having trouble because it’s only looking at the version of fileset bos.net.tcp.client. The bundling has been changed in AIX 7.2 so that there are now multiple filesets (for example, bos.net.tcp.bind_utils) that contain the files that used to be in bos.net.tcp.client.