It's an attempt to force people to use their apps.
Yahoo's E-mail apps effectively work as browsers which communicate with their server via what is known as oAuth2. Mail clients like Thunderbird can use this too, however, one of the caveats of the approach is that each client requires it's own API Token. Yahoo's Apps, unsurprisingly, all have an issued token. Yahoo, however, refuses to issue a token for Mail clients such as Thunderbird- as a result, they cannot connect.
It's not a security consideration since SSL/TLS E-mail connections are perfectly adequate. Yahoo considers them "less secure" for no reason but their own- The only difference would seem to be Yahoo's ability to directly control what software can interface with their mail servers, and encourage people to use their Apps. (Which I'd be surprised if they weren't rife with advertisements!)
As an interesting aside- Google also uses oAuth2, however, unlike Yahoo, they happily issued Thunderbird with an API Token.
Considering Yahoo seems to have a major security incident at least once a year I'm not sure I'd accept their security advice as being from a position of any form of authority. In 2012 they were found to be storing passwords in their database in plain text, they've had frequent security breaches, security problems where they use poor security on things like "remember me cookies" which allowed hackers to log in as anybody and steal data from over a billion accounts... and now they want to get haughty about SSL/TLS somehow not being sufficient for E-mail clients?