Vulnerability Insight:
VRFY and EXPN ask the server for information about an address. They are
inherently unusable through firewalls, gateways, mail exchangers for part-time hosts, etc.
That, um, isn’t very insightful. I suppose (though they don’t bother to say it) the concern is that it gives a bad actor a relatively easy way to check whether an account exists on your server, but calling that a “vulnerability” sounds like a bit of a stretch.