True confession time: several years ago I had a few WordPress sites. I didn't update them for months and they got hacked. Someone uploaded a PHP shell to the server and they also were able to redirect search engine traffic. To me, it looked like the site was normal. However, when a visitor came from a search engine, they were redirected to the attacker's site. They took advantage of yet another flaw in WordPress.
Now, some people affiliated with Acquia and other companies are keen on bringing that experience to Drupal.
Specifically, they want to allow the Project Browser module to write directly to the server so it can do automatic updates and install modules. Here's the issue. They've made it clear that this would not just be for local installations. It would come with a strict warning in settings.php but, c'mon, everyone knows what's going to happen.
For a lot of people, using the command line and composer is out. And, instead of learning that, hiring someone, or using the Sheephole project, they'll make a quick change to settings.php and as a result practically beg to be hacked.
In fact, bots looking for Drupal 7 vulnerabilities are still out there. Here's a recent post about someone trying to upload a PHP shell through the user login form. Vulnerabilities in contrib modules are found all the time. A zero day exploit or admins not patching sites in time could result in huge problems for both sites and consumers. Some bank and hospital sites run on Drupal and, while you might think they'd hire competent people, some of those are still running Drupal 7 or even 8/9 long after they've reached end-of-life.
Acquia et al have run off a lot of smaller sites, causing them to move to WordPress or other platforms. If Drupal gets a reputation as easy to hack, it's going to get even less popular and with those who are clients of those large agencies. So, they have a financial interest in not continuing down this unsafe road.