Much of the issue is how WordPress allow out-dated plugins to continue to exist - so many old plugins that have been abandoned are on the repository, installed on boxes and unsafe.... Would be good if the old plugins could be audited somehow... i know, that would be a nightmare!
So - only use up to date plugins folks - even then you're at the mercy of the author.