pm:security-php only suggests a composer command for the first package

[prudloff-insite]

Describe the bug
I am trying 426ebed and it works great but it only suggests a composer why command for the first package.

To Reproduce

composer require spoonity/tcpdf 6.2.1
composer require zetacomponents/mail 1.8.1
drush pm:security-php

Expected behavior
Suggest multiple commands to run.

Actual behavior

 [warning] One or more of your dependencies has an outstanding security update.
 [notice] Run composer why spoonity/tcpdf to learn what  module requires the package.
spoonity/tcpdf:
  version: 6.2.1
  advisories:
    -
      title: 'Attackers can trigger deserialization of arbitrary data via the phar:// wrapper.'
      link: 'https://github.com/tecnickcom/TCPDF/commit/1861e33fe05f653b67d070f7c106463e7a5c26ed'
      cve: CVE-2018-17057
zetacomponents/mail:
  version: 1.8.1
  advisories:
    -
      title: 'Arbitrary code execution via a crafted email address'
      link: 'https://github.com/zetacomponents/Mail/issues/58'
      cve: CVE-2017-15806

System Configuration

Q	A
Drush version?	10.2.2
Drupal version?	8.8.4
PHP version	7.1.33
OS?	Linux