it’s more their track record; I have only explored a certain portion of their code only
like 2 years ago, I had to annoy them for months before an SQL injection bug got fixed (it was simple also, they were passing field names from request body directly to the DB)
they also took a month of pestering to fix a bug that allowed draining Eclair nodes… with a hodl invoice (yes, you just wait 30 seconds)
their satsdice plugin had improper access control, meaning invoice keys meant to be receive only could drain wallets