I think the security team treats plugin security separate from core security, except for the basic stuff that gets caught during upload to the repo. If a plugin is particularly notorious though for security problems (looking at you Tim Thumb), it gets removed.
(((Matt Sicker))) (babka.social)