I think there's a false logic present in arguing that "lots of people use it, so it's ok even if it's shit." Apply this same argument to one of several poorly coded plugins that have introduced basic security vulnerabilities and had widespread adoption. I think this is even worse when there's no commitment to improving it.
I find it curious we don't necessarily aspire to quality; and I think we should. I'm not happy just FUCKING SHIPPING IT.
Since there are always bugs, all code is an opportunity for security vulnerabilities. Users take their site security into their own hands whenever they have to trust others' code, as well as trusting their own coding skills (if applicable).
Sure, can't refute that. However it's the same mentality that allows the same, basic vulnerabilities to persist throughout the years. The code basically works so sod it, who cares.
Of course, I fall short of offering a solution, because there is none that doesn't imply writing bug-free code (impossible if it's not trivial); spending inordinate amounts of our spare time vetting this code; or otherwise stopping people from learning in the first place. The other one is to tell people not to use these plugins, or to be more careful, but they need to know what's currently'safe' and what isn't.
I just don't like the mindset that 'shipping' code is the be-all and end-all when as masters of our craft (hyperbolic?) we should at least aspire to more than 'good enough' or 'working', even if it's unattainable.
But with web programming, if you're not good at it, but you have the perseverance to bash on code until it's "good enough that it works" (which is admirable, don't get me wrong), there's a very high chance it's got some major holes.
This is a real consideration to me, cause I'm working to teach kids technical computer skills, including programming. If I'd teach them PHP, I'd have to wall off the server, because many of their projects are bound to be full of holes, and we can't take the chance that one of those would affect our organisation's website. It's volunteer-based, so there might not be money to get a separate hosting package. Same if I were to give them all their own WP install, some of the projects are going to be forgotten, and I'm not going to be the one making sure they're all being kept up-to-date and secure for the rest of their lifetime.
And that's a cool article you linked. I already knew it, but for those who don't: it's worth reading, check it out!