What probably goes a long way towards explaining why WordPress security plugins provide so little protection against the exploitation of vulnerabilities in other plugins is the developers of those plugins don’t have a great understanding of security. That is partially backed up by how often security vulnerabilities are found in security plugins. The latest example of a security plugin we have found to contain a vulnerability, involves a newer plugin, Headers Security Advanced & HSTS WP, which has this text in the first paragraph of its description in the WordPress Plugin Directory:

it allows you to securely and quickly customize your login page URL. It does not rename or replace files, add rewrite or read rules. The wp-admin directory and the wp-login.php page will no longer go, remember to bookmark the URL or wherever you prefer so you can remember the login url. Deactivating this plugin will return your site configuration exactly to the state it was in before. [Read more]