> if AI can be pointed and find vulnerabilities then do it yourself before publishing the code

At your cost.

Every time you push. (or if not that, at least every time there is a new version that you call a release)

Including every time a dependency updates, unless you pin specific versions.

I assume (caveat: I've not looked into the costs) many projects can't justify that.

Though I don't disagree with you that this looks like a commercial decision with “LLM based bug finders could find all our bad code” as an excuse. The lack of confidence in their own code while open does not instil confidence that it'll be secure enough to trust now closed.