If they understand security better than their customers, it's correct for them to say so when an issue doesn't require customers to individually review whether they are affected.

If they misjudge that, it isn't an indication that they don't "take security seriously". It just means they made an error in judgment.