I believe the reason they are called "gaping security holes" is that if nc is installed as setuid root, they allow local privilege escalation (see https://serverfault.com/questions/237584/netcat-e-the-gaping..., https://nc110.sourceforge.io/). Another explanation is that they make it trivial to create reverse shells etc. (though it is still possible to create reverse shells without -e/-c, for example using named pipes).