The scope included in the service provider nomination post includes only reviewing calldata for executable proposals, which contributes to transparency and security on what is being executed.
The service providers report explicitly mentions that the research related to the security council is out of the scope.
In the end, it comes down to the allocation of the team. The squad working on service provider scope is one (and all the scope that was delivered and will be is publicly available in this github projects board), the team involved in this research was a parallel work that involved the research team and others.
Rather than thinking about saving resources internally, we dedicated all necessary resources to addressing the attack vector.
I hope this clarifies. It’s a valid question. Thanks for addressing this concern, Limes!