Complete agreement; anything that can be used for tracking is a security vulnerability. That doesn't mean it's a top-priority security vulnerability on par with remote code execution, but there's already a whole vulnerability category for "information disclosure".