Generally a regular issue is much less likely to get you hacked.
Security issues often come with legal liability which is why a bad security department will act overly important and stomp around demanding changes be made right the fuck now.

But I do get it, a good security team should be enabling their dev teams to solve issues in the heat disruptive way possible, not just thrown them work and barking orders.

In some places I have worked, the sec teans will find an issue and push PRs to fix them, explaining the security concern, and requesting only a review and merge.