I can only speak for SpiderMonkey, as that’s the team I’m on, but we humans are definitely writing and reviewing the patches for these bugs. Sometimes the AI suggestions are good, often they’re not, and we never send off a fix for a security bug unless we thoroughly understand the problem and have assessed its severity ourselves.