Reading between the lines, it seems like they were working with cal.com and used red team bots to find vulnerabilities in cal.com’s code. And they probably found bugs a lot faster than cal.com could fix them. So the CEO balked at the estimated cost of fixing and took his ball home.

This article is effectively an announcement that cal.com is riddled with vulnerabilities, which should be easy to find in an archive of their code.

Alternatively those scanning tools have the same issue all other security scanners have in that they have too many false positives. And when tuning them to have only few false positives, they miss the true positives.

Then the real work is in investigating each false positive. Can still be useful compared to manual review, but requires real resources.

Meanwhile the flood of false positives causes reputation loss if not addressed. Reputation loss that closed source software does not get. Hence perhaps going closed source.