UPDATE: I figured it out. To clarify, I was never asking HOW to block these insecure HTTP methods on F5, I was asking why scanning two VIPs that had identical HTTP profiles, security settings, and no iRules or policies would return different results.
The answer is that I had a local hosts file entry that defined a name for one of the IPs of the VIPs and not the other, which changed the behavior of the NMAP scan and the service on the back end server that responded to its HTTP probes.
Thanks to all that read and contributed, but I'm keeping my delicious snack for myself sorry!