Maybe because it is a non-essential tool with many alternatives available? It could also be because there are already illicit parties using atop to hack companies? Still, publishing a CVE with the specific exploit and a recommendation to fully delete atop would be better. Even if there is no patch available.