Generally a regular issue is much less likely to get you hacked.
Security issues often come with legal liability which is why a bad security department will act overly important and stomp around demanding changes be made right the fuck now.
But I do get it, a good security team should be enabling their dev teams to solve issues in the least disruptive way possible, not just thrown them work and barking orders.
In some places I have worked, the sec teans will find an issue and push PRs to fix them, explaining the security concern, and requesting only a review and merge.
Generally a regular issue is much less likely to get you hacked.
Security issues often come with legal liability which is why a bad security department will act overly important and stomp around demanding changes be made right the fuck now.
But I do get it, a good security team should be enabling their dev teams to solve issues in the least disruptive way possible, not just thrown them work and barking orders.
In some places I have worked, the sec teans will find an issue and push PRs to fix them, explaining the security concern, and requesting only a review and merge.