Sure, getting information on the particular vulnerability and its fix is useful.

However, doing anything less than clean reinstall of the tainted system and implementing the fix there would be underreacting. Verifying if that system was/wasn't backdoored takes ten (if not hundred) times more effort than nuking it from orbit and reconfiguring a new one.

How much would you trust that person? Enough to potentially risk your business on them?

It's not about trust it's about information gathering the goal is 2 fold

1. figure out the intentions of the individual

2. quickly finding and fixing the affected system

To be clear it doesn't matter if the information is true or false because if it's true you can find evidence on the system to confirm it and if it's false it could still prove useful.

You can nuke it from orbit later that could take hours or even days depending on how much stuff you have on it plus if the entry-point was trough the new app you just created nuking it won't fix the issue.

The moment you put the app on the new server you opened yourself up to get hacked again.

We all know a constantly updated system with nothing happening on it is incredibly hard to hack vs a system that has a lot of things happening on it the more things you're doing on a server the higher the attack surface plus it's a small company we're talking about here so they probably want to keep costs down by doing everything on as few servers as possible.

You are already trusting that person enough to risk your business on them, if that server is still up and running after finding the security hole.

It's not just about that server though, who knows if the other servers were compromised?