Is there a reason not to have this flag for the install command?
It doesn't work, if you don't have a composer.lock file.

In DDEV, we split composer create-project in several steps https://docs.ddev.com/en/stable/users/usage/developer-tools/#ddev-and-composer (needed for internal reasons).

If I run this, it doesn't let me to install:

composer create-project "typo3/cms-base-distribution:^11" . --no-install
COMPOSER_NO_SECURITY_BLOCKING=1 composer install

But at the same time I can do this:

composer create-project "typo3/cms-base-distribution:^11" . --no-install
COMPOSER_NO_SECURITY_BLOCKING=1 composer update

If you run the install command without a lock file you are performing an update, so call the update command if you don't have a lock file. The install command should not be used without a lock file as is evident from its output too, hopefully.

But since people insist on doing this, I guess it would only be consistent to pass along these flags to any update triggered by the install command when it finds the lock file it requires is missing.

The create-project command does this internally and executes an update if there is no lock file present: https://github.com/composer/composer/blob/main/src/Composer/Command/CreateProjectCommand.php#L253

Yeah I think I'd rather not add it so that it remains very clear that install itself does NOT do any filtering of vulnerable dependencies, it installs a lock file as is and that's it.