Let's start by looking at what typical tokens are.
A fungible token is simply a store of the following records:
(public key, amount)
There is a stored procedure that lets anyone with the private key to lower the "amount" value on their row and increase the "amount" value on another row by the same amount. There's no tracking of which part of the amount came from where, the "tokens" are fungible.
Now let's look at what a non-fungible token is.
It's a store of the following records:
(public key, id)
Whoever has the private key can change the public key field in the record.
That's... it.
You can add a table that has
(id, metadata, url), that's common and what you see with most shown NFTs. There's some helper functions but really that's the essence of it.
None of that necessitates it being sold as an investment in a common enterprise any more than selling bits of paper with a number and a signature on them does. Signed prints by an artist aren't securities, your place in the line in a queue isn't a security, a concert ticket isn't a security.
You can obviously however treat the above data structure as representing some kind of security. This is true with fungible tokens too, a list of shareholders is essentially the same structure. So it comes down to how it's sold.
Not all ownership denotes a security. If you own (and own can often be interpreted simply around having control over) a thing, you can sell it without that necessarily being a security. That's why the test is not "can it be sold".
