That's the most important question, and there's a pretty good case to be made for "yes". It's a severe error in judgment for a security engineer to co-opt an security notification system in order to spread personal messages. Not only is it spam, it desensitizes users to real warnings. (Imagine an email from Google where the subject is "SECURITY ISSUE WITH YOUR ACCOUNT" and the content is an ad for a Pixel). I probably would have given a strong warning rather than firing, but it's not unreasonable to be especially strict when dealing with security matters.