I believe their point was that:
"How likely is this diff a patch for an existing vulnerability?"
Seems to be an easier question to answer than
"Are there any new vulnerabilities introduced by this diff?"
In other words identifying that a patch is for a vulnerability is typically easier than finding the vulnerability in the first place.
If the diff will just be fed to LLMs regardless then what is easier is probably a moot point.