They're not changing the addresses for security, but for anonymity.
No. It's the case for both. Until you spend from an address, you aren't showing your public key to anyone. That is *fine* for now as there is no security flaw in Bitcoin or the relevant algorithms (we can ignore ASICBoost). So what happens when ECDSA is compromised, let's say due to a quantum computer? Any address that was reused, and still has funds on it, is unsafe. Given the exploit, someone could reverse engineer the private key from that public key.
Tl;dr: It's both for privacy and security. Address re-use is not recommended. Avoid where possible.