I'd assume the security vulnerability is there no matter what the error message says, but I guess very explicit and verbose error messages might expose details to make it easier to find said vulnerability.