A poor codebase makes it hard to audit it to make sure there aren't bugs or exploits. In the case of Sendy, how would a user know that a spammer isn't able to exploit it to send spam to everyone in Sendy's MySQL database? That's potentially very damaging to a business (especially if you're running Sendy on behalf of a client).

Sending email to a list is easy. Sending email to a list securely is harder.