Let's go one step further and think about why OSS maintainers generally approach security vulnerabilities the way they do (even pre-AI), and why some people has a significant negative reaction to this type of bug/security/issue reporting approach.

What happens if they treat every single report with the same effort and seriousness regardless of how it is reported? What happens if they dedicate too much effort in wild goose hunts while disregarding the more mundane/concrete security and maintenance work? How would an attacker take advantage of this process?

If you work in software, maybe you've encountered this yourself, in orgs where they don't have good processes around reporting bugs/issues. You essentially get DoSed by noise. You get tons of issues from customers (or internal stakeholders representing them), some barely describing stuff like "hey X can access Y, don't think they should" without any context (or even refusing to provide further information even after you ask), forcing you/CS to prune down all possible paths based on audit logs and their permission settings and so on.

Customers (in this case I'd say OSS users are customers too) can say "yeah this is the responsibility of the maintainers/vendors, why should I even care to report things a certain way, be glad I even told you at all" but IME this social posture is terrible for both parties. Even in commercial relationships, the best customers I've had were ones that reported issues that were concrete and reproducible. The chances I can fix it almost immediately goes up in orders of magnitude. The customer gets what they want and my job is simpler.

Even the core claim of the article, "this is a systemic issue", isn't fixed by a carrot disclosure. They don't imply an organizational/structural issue, merely a legacy one (inheriting stuff from gitea/gogs). What do you gain more by putting social-political pressure on an OSS project, if it's not a social-political problem?

The post reads more like an emotional response (frustration) rather than a productive one.