As a general rule, many commit messages are not as informative as they could be or should be. Andrew Morton regularly rants about this. I personally find that writing a good commit message helps me find problems with the commit often enough that it is clearly worth while. It seems that others don't :-(
So commit messages don't guarantee anything, and they could certainly be better.
But that doesn't excuse removing security related information from commit messages, or deliberately leaving it out. We should always include anything useful that we know. We cannot justify leaving info out because some other commit message doesn't have that kind of info.
So sure: if people only back-port commits which say "bug fix" or "security issue" in the commit message, then they are being foolish. But it is not our place (or Linus' place) to stop people from being foolish.
It *is* our place to make the code and the code-history as easy to understand and maintain as possible.