Shipping debug symbols isn't a security vulnerability. It might be sloppy, but we all know that security through obscurity doesn't work. Especially not with modern analysis tools and access to the executable code.