Why do you have to be an admin to create a symlink in Windows?

By default, only administrators can create symbolic links, because they are the only ones who have the SeCreateSymbolicLinkPrivilege privilege found under Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\ granted.

From Microsoft TechNet: Security Policy Settings New for Windows Vista:

Symbolic links (symlinks) can expose security vulnerabilities in applications that aren't designed to handle symbolic links.

It is not entirely (see below) the case anymore as of Windows 10 Insiders build 14972 (windows 10 creators update ~ 1703).

However, from the comments below the blog post, concerns about the issues mentioned in the other answers are still there, and to make use of this new behaviour, you need to:

• enable developer mode on your machine
• pass a SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE flag to the CreateSymbolicLink API

I found the reason when Vista was launched. The given reason for admins only is very simple. It's not unspecified security problems, it's thousands of pieces of software have to be upgraded to use API calls that literally didn't exist before they were added to avoid gaping security holes when traversing symbolic links.

Windows is horribly vulnerable to symbolic link racing; there are ways to avoid this, kind of, but virtually no applications are using the APIs in such a way at all. Even Microsoft is not accepting security bugs that involve symbolic link racing. I just tried to report one three months ago.