Sophos antivirus for android should not consider the presence of root as a threat if root access is disabled in Cyanogenmod.
Cyanogenmod versions 12 and 13 which are based on lollipop and marshmallow respectively contain root, but root access is disabled by default and to enable it one must enable developer settings and then enable root access to apps, to adb or to both, or to leave it disabled. http://www.cyanogenmod.org/blog/security-and-you (Root access management in Cyanogenmod explained)
However Sophos considers it as a threat to the device but in my opinion that depends more on the user and disabling the feature is pretty good security in this regard, of course not perfect, but it's not like there aren't apps that can root non - rooted devices anyway.
What I am talking about is the security audit by Sophos. The area of security being labeled as "device". So I would suggest to Sophos to improve the message in that regard or to make it possible for the user to choose to ignore the yellow flag to this particular area of security in android devices.