ECDSA is just a HMAC (hashed message authentication code), though i'm probably abusing the "formal" definition, that's what it is, and the problem with it is that due to the way it's calculated there is a fairly substantial number of different hashes that can be valid on a signature, thus it is "malleable" - put it this way, if you are hash-grinding (like mining) and you can cut the bit-size of our seed down to only like 8 bytes (64 bits) of data, it's feasible to sic a farm of machines to the task of trying out variants of that hash value that satisfy the ECDSA signature, potentially within days, or at most weaks, for a large attacker to use

schnorr is simpler than ECDSA, as well as lacking this weakness of imprecision that gives this wide scope for tampering with a message (ie transaction) that could potentially change the payee of the transaction, so you see what the problem is when you fully grasp what malleability means

it's not a weakness that a lone wolf hacker can exploit, it's a weakness that a GOVERNMENT sized hacker can exploit, and that's why it's troublesome