For it to fix the bug it has to identify the bug. If the bug is a security vulnerability then it will have to identify the security vulnerability to fix it. What's the alternative, have it ignore vulnerabilities/bugs? It wouldn't be a very good coding companion in that case.

I'd pay less attention to the prompt and more attention to the output when interpreting this story. (I'm not saying I agree with the decision, but this is how they are looking at it.)