If RewriteCond (or any other Apache directive) doesn't behave as documented, that's a correctness issue.
If you use RewriteCond as the basis of securing your website, that's a security issue for you.
If it's a security issue for a significant number of users, or if the documentation recommends using the directive for a security role, then it's also a security issue for the product itself.
I don't see how it becomes irrelevant. It's as if I have a door in the entrance to my building that serves multiple purposes, such as holding the company logo and keeping the A/C-controlled air in, and then someone smashes the door with a sledgehammer. The fact that all of the door's functionality stopped working doesn't make the security aspect of not having a door irrelevant.
A better analogy is that you decided to replace your door with a new one, and before installation you notice that it is smashed to pieces and can't be used.
I'll take that. But in this case it's even worse, as apparently they never bothered to check if the door is in one piece and just screwed the smashed pieces onto the hinges regardless. So now it's not working as a door neither functionally nor security-wise, but it took someone visiting from outside to see that the emperor has no door.