The checks collect together security best practises and industry standards
The riskiness of each vulnerability is based on how easy it is to exploit. For example if something can be exploited via a pull request, we consider that a high risk.
The example (described in the last sentence quoted) is very hard to understand. I cannot figure out what "something can be exploited via a pull request" means.
It would help to give an example of what "something" can be and to clarify what you mean by "a pull request".
By the way:
Sentences should be terminated with a full stop ("."), including the one opening the section.
Originally ossf/alpha-omega#359: