Why does Google consider Thunderbird not secure enough?

Thunderbird doesn't support two factor authentication, so Google has a means of generating a special credential set that can be used with Thunderbird. When configured in this way it works fine with Gmail, but I guess it is less secure than proper TFA.

It works for me without enabling less secure applications, although I had to switch from POP to IMAP to get it to work since apparently gmail doesn't support OAuth2 with POP.

First I enabled IMAP in my gmail account. I then enabled 2-step verification in Gmail, which involved giving my phone number (grr). I could, and did, then create an App Password. Back in Thunderbird -- since I didn't discover until later that you can convert a POP account to IMAP -- I deleted and recreated my email account in order to switch to IMAP, using the settings given by Google. Thunderbird auto detected the other settings but if you're setting things up manually the authentication method needs to be OAuth2. Note that the password you enter in the settings is the App Password and not your gmail login password. When Thunderbird first checks for email it will pop up a window to a Google page asking you to enter your login details - this time you enter your normal gmail password. (This popup only comes up the first time you check for email.)

I hope the above helps someone.