I don't see a disconnect. AI generates things that are similar to existing things (but partly made up and subtly wrong), so just like how it can generate somewhat correct code it can also generate somewhat correct vulnerability reports.
Humans can't write code without bugs either, especially in languages like the one Linux is written in. It's not a binary though, either in terms of how involved the human is in crafting the output and how many bugs are in the code that's getting merged, so I don't think that blanket statements like "AI writes bugs" or "AI finds bugs" are particularly meaningful.