Briefly: there are a lot of common vulnerability classes which can compromise a user of your application / their cookie / their DB record, for example mass assignment (to update the "role" attribute in a free trial account to "admin") or XSS (tweet at your support account and have them click a link to your domain, bam, the adversary now has your cookie and can log in as you).
Separating the admin app and the normal app upper-bounds the impact of those flaws at something lower than "The worst thing someone could possibly do with the admin console." Given that many admin consoles have fairly extensive functionality, that's generally a good idea. (I mean, my businesses are pretty low risk as things go, and my admin consoles would trivially do about $20k of damage just with refunds if compromised.)
Separating the admin app and the normal app upper-bounds the impact of those flaws at something lower than "The worst thing someone could possibly do with the admin console." Given that many admin consoles have fairly extensive functionality, that's generally a good idea. (I mean, my businesses are pretty low risk as things go, and my admin consoles would trivially do about $20k of damage just with refunds if compromised.)