Why do they consider it weak from a security standpoint? In other words, how much less secure is it, and are we talking about a worrying threat to a user's coins? A threat that is significant enough to not want to touch it.
Generally speaking PBKDF2 is considered a weak Key Derivation Function because of how the algorithm is designed. For example RFC-8018 suggests that for anything security critical an iteration above ten million should be used.
The reason I disagree with this part is because there is no need for the KDF to give us any security here because we aren't salting user's entered passwords, we are just deriving child keys from an already strong entropy.
An iteration count has traditionally served the purpose of increasing the cost of producing keys from a password, thereby also increasing the difficulty of attack. Mathematically, an iteration count of c will increase the security strength of a password by log2(c) bits against trial-based attacks like brute force or dictionary attacks.
In BIP39 our "password" is the mnemonic which is encoded from an already strong entropy of between 128 to 256 bits. Adding more "security strength" on top of it is not needed.