In trying to improve the security surrounding WordPress plugins and therefore improve security surrounding WordPress, one of the biggest, if not the biggest, impediments is the people on the WordPress side of things. That starts with the person at the top, Matt Mullenweg, falsely claiming the only plugin security issue that isn’t “hypothetical” is people not keeping plugins updated, despite how many website have been hacked due to unfixed vulnerabilities in plugins. From there, a top impediment is that the WordPress folks have a belief that somehow hiding that publicly disclosed unfixed vulnerabilities is actually a way to keep people secure (even though if you believe the person at the top they are not even an issue). Here for example is the first paragraph on the page on how to report a plugin security issue:

If you find a plugin with a security issue, please do not post about it publicly anywhere. Even if there’s a report filed on one of the official security tracking sites, bringing more awareness to the security issue tends to increase people being hacked, and rarely speeds up the fixing. [Read more]