I don't think there were any specific security issues caused by Easter eggs but the policy was announced as one of the many changes in their "Trustworthy Computing" initiative.

It seems kinda harsh but it's important to remember the context: at the time, the security situation in Windows and Office was dire and it was (probably correctly) perceived as an existential threat to the company. I think "no Easter eggs" was as much for optics as for its actual effect on the codebase, a way to signal "we know about and stand behind every line of code that gets written; nothing is unaccounted for".