As mentioned in the below article
Security Alerts ( for members other than org or repo admins) can be enabled only for members with write access to the repo. I am wondering why is it designed that way and if there is any change planned to add members with "Read" access in the notification list. Members of the security team may need to receive these alerts, but don't necessarily need write access as they would not be contributing any code changes.
Thanks for taking the time to write this feedback, this is a great question and one that we are actually already investigating in an internal issue, and I've added your feedback to it. For now would it be possible for your organization to delegate Write permissions via teams (including to the security folks), and then using protected branches and a CODEOWNERS file with broad coverage to require review for any pull requests that touch files in the repository?
Mark helpful posts with Accept as Solution to help other users locate important info. Don't forget to give Kudos for great content!