They are worried about vulnerabilities that are introduced knowingly. They said that in the past you could trust that if someone spend months writing code for you project he did it with good faith and not to sneak a backdoor past you. Basically they assumed a hacker would not invest months of work trying to add a bug to an open source project because it’s just not worth it. Now, because of AI, someone can easily create big PR with a hidden bug hoping that it will get merged.

I have no idea how true it is (i.e. if AI is able to generate a big PR that will pass all the checks and get approved) but logically it does make sense.