If it is a security risk, then how come it doesn't detect it on the version that is commented out differently? So are you saying that Avast failed on that detection? Clearly Avast has no intention of generating false positives.
If it wants to warn users that a web page has commented out code that is somewhat suspicious and could be a problem in the future that's fine. But to alert about a serious trojan for a commented out iFrame to a third party domain is alarmist.
While I can appreciate the stance that some take that it is an inherent or latent security risk, the code is commented out and so it clearly poses no actual or residual risk. You can still wish for an alert on inherent risk if you want, as security people, but that stance and false positives doesn't win over any regular users to become more security-oriented -- to the contrary it tells them that the security person is too alarmist.
To those who didn't actually read the whole post or thread, I've already articulated why I myself can't simply fix it. And it is clearly Avast which should be consistent in their interpretation of commented out HTML code. Either both pages I've posted should be an alert, or both should not. I clearly take the stance, that neither should cause an alert.
And as to why I post in this forum? It is because it is the only support option I have at the moment, because I have not committed to this product. And if Avast doesn't have the common sense to monitor this forum and respond as appropriate then I don't know how they will win over customers to purchase their product.