Are there security reasons for prohibiting universal mac address modification?
It is difficult to answer this question, because we don't have any insights on the way of thought of those at MicroSoft.
However, as you said, there are two types of MAC's: a universally-administered address (UAA) and a locally-administered address (LAA).
UAAs get the MAC-ID from the vendor; it contains the vendor's OUI. Although you can, you should never use these yourself, unless you are a vendor. They are (more or less) guaranteed to be unique. You should never get a second device with the same MAC; no collisions.
LAAs are meant to be locally administered. If you get a collision, it's your problem.
So, for a normal end user, or even a company, if you use your MACs, you would only use LAAs, by fear of collisions. Why should you need to change it to an UAA then? Windows probably would conclude that this is an error that must be prevented.
For many of these actions, there is a "are you sure"-dialog. However, MicroSoft probably cannot see a legitimate case where such a change is needed, so you are probably hacking.
But then again, unless someone who made the decision at MS answers, we'l never know.