The Quality Rule "Avoid many-to-many association" is included in the Security Index because it is part of the "Architecture - Multi-Layers and Data Access" Technical criterion. This is the structure of our Assessment model: mapping of Quality Rule to Technical Criteria and mapping of Technical Criteria to Business Criteria is independent. It's a mesh, not a tree.
As such, each rule contributing (indirectly) to the Security index must not be considered as a security hole. We rather have a global assessment of the app on a Technical aspect (here, how well architectured is the way the app accesses its data). We then estimate that this Technical assessment contributes with a given importance to the global Security score, together with the assessments done on other aspects. However,if in your particular application, this particular rule is not relevant or should not be considered so critical, it is always possible for you to customize the assessment model locally.