That's true ergo but is it really necessary? WordPress isn't a commercial product and is totally built and supported by a community. It is an example of a community dedicated to the development of tools that serve the community. I for one have never seen such a well organized and dedicated team of developers that have achieved such phenominal success - success measured by the volume of installs.
I agree the community approach doesn't have a rigorous review process but there's something to be said about self-evaluation and an unspoken community commitment to providing above bar plugins, themes, and services. It's not perfect but it's the only example of a decentralized community on the web where the community can be involved - or not - and can have a huge impact on the development cycle and what the end results are. Sure a plugin developer can fall behind or produce poor code but the community does review and comment - very verbosely at times - when something doesn't work. Again, it's not a perfect solution.
As for keeping the community at large informed. That's up to the community. There are several methods by which they can stay informed. By default WordPress installs include a feed from the WordPress blog on the dashboard. The core developers post their notes, meetings, and contribute to the blog about what they're working on as well as any issues they've uncovered.
Perhaps what's needed is an owners manual that explains responsibilities (users versus development community) on maintenance and upkeep as well as support. Buying into WordPress or any CMS means you're buying into the culture of that community as much as you are into the tool itself. It's a personal choice based on many factors. Some people choose based solely on convenience. Others may choose based on availability of support or because there is a rigorous security review process. I like the WordPress community approach. It suits me and my clients. I know what I need to do to keep my sites safe and secure and if a rogue plugin is uncovered it would likely be discovered and the community would act on it quickly. BTW - I've never heard of one in the 10 years I've been playing with WordPress - yea, I was messing with WP when it first came out.