Yes I understand, what you describe is something I would definitely consider as a security issue.

However just like how say the DoS using SYN floods was not treated as an important issue by ISPs and other network operators for a long time, I am not surprised OpenAI/Microsoft is treating yours not seriously.

The attitude typically would as long as it doesn't affect my services it is not my job to worry about it, until it becomes a PR issue.