User blog comment:DaNASCAT/Technical Update: September 30, 2014/@comment-452-20141003180903/@comment-452-20141029092516

More info for anyone wondering: Global, user and site Javascript and CSS are blocked on all pages ending in ".js" in the User and Mediawiki namespaces, as well as Special:Preferences. (There may be others pages.)

I had assumed "Security Updates" meant something else, but I've had it explained to me in a support ticket that the "Security Issue" in question is potential malicious admins, who might edit a .js page for nefarious purposes.

Presumably, blocking javascript and CSS when editing a .js page is to prevent malicious admins from preventing other users from removing javascript.