It’s not out of scope imo, certainly not wholly. If a contract is designed to prevent X, and it succeeds in preventing X, but you can make Y happen which is an automorphism to X in terms of its functional properties, then in effect you’ve failed at properly trying to prevent X. To me that’s still part of security, and doesn’t always have to involve simulations or data.
A trivial example would be a token contract that doesn’t allow transfers for N days, but that allows the loophole of contracts being able to buy tokens which can then issue trustless futures wrapper tokens that the owner can automatically redeem for the underlying “real” token once the token contract allow transfers.
From a code perspective, a simple “pause” on the transfer function would be correct, but would fail to actually prevent the effect of balance ownership changing hands.