Why does the advisor say my security group provides public access to port xyz?

This essentially means that port xyz is open to anyone on the internet to try to connect, probe, and so on. You have enabled a CIDR address of for this security group rule. You should really try and restrict access to a class of IP specific to your use case rather than open it up for every one. Even if you are using SHH keypair auth, you will still have the nuisance value of thousands of bots trying to probe the port everyday.