They didn't "forget" rather those security issues have nothing to do with JSON itself. Probably the only reason section 12 made it into the document was to highlight that, unlike most derived standards, you should not parse this directly in the parent domain.
IETF standards documents avoid going off on tangents, if one were about safety issues in a car it'd talk about airbag requirements not how the driver should perform evasive maneuvers.
