"Cannot" this is not true. It might not satisfy some sort of branding requirement but at the end of the day all a secure boot implementation does under the hood is to verify the kernel against the signing keys stored in the firmware before handing off control to it. The kernel can do whatever it pleases after that including granting you root access, joining a botnet, or, indeed, loading a hibernation image.
As for security, the hibernation image is at risk unless you use full disk encryption. But then (last time I checked) so is the typical Linux distro because ultimately you (the end user) have complete control over the OS. That means that at some point the kernel has to load and run privileged code that was never signed by some central authority. The only alternative to this would be sending all drivers to be signed by someone else, even those you built yourself from source.
tl;dr You can in fact use hibernation if you set it up, even with secure boot. Doing so is not a security issue. Lack of full disk encryption is always a security issue if physical access is an attack vector you are concerned about.
Huh TIL. Apparently the mainline kernel got a lockdown feature in version 5.4 that prohibits this. Ubuntu started shipping with a version of the patches in 2018. So I guess you'll have to disable that "helpful" feature first if you want to restore functionality.
As for security, the hibernation image is at risk unless you use full disk encryption. But then (last time I checked) so is the typical Linux distro because ultimately you (the end user) have complete control over the OS. That means that at some point the kernel has to load and run privileged code that was never signed by some central authority. The only alternative to this would be sending all drivers to be signed by someone else, even those you built yourself from source.
tl;dr You can in fact use hibernation if you set it up, even with secure boot. Doing so is not a security issue. Lack of full disk encryption is always a security issue if physical access is an attack vector you are concerned about.