printf("%n") is considered a security risk since some time already, it can be used to rewrite memory. Multiple printf implementations added some restrictions on this (Android libc aborts on %n, Windows Vista and later require explicit opt in, glibc and OSX require format strings to be in readonly memory).
Considering that GnuPG is a security-critical application it would benefit from avoiding dangerous techniques.
By modest assessment there are only a handful of uses of printf-%n in all of GnuPG.
./doc/mkdefsinc.c:289: snprintf (p, n, "%d %n%s %d",
./g10/keylist.c:277: tty_fprintf (fp, "%s%c %s/%s %n",
The first one is easy to fix. I'll post a patch.