Can you please source this? A react project can be so many things...do you mean create react app? A custom react app?

create-react-app starts with 1506 deps:

    $ npx create-react-app my-app
    $ find my-app/node_modules -name package.json | wc -l
        1506

90% of which are development tools - eslint, testing, typescript, webpack, etc.

The actual runtime dependencies of a react app are basically just react and react-dom.

Are dependencies that run on your development machine any less of a maintenance or security concern?

No, but the number being quoted is the sum of two different security concerns - and it’s attributing the concern to ‘react apps’, when actually react itself is pretty clean in terms of dependencies.

Yes, because they aren't running in prod.