Get your shit together!
It is 2016, there is no excuse for allowing any plugins with insecure code to make their way into the plugin directory. Full stop.
The story about Custom Content Type Management stealing admin credentials and other shenanigans, is utterly pathetic. I’d bet this incident is just the tip of the iceberg.
If there is a plugin review process, I have seen no evidence of it. In my experience, plugin updates are made live immediately after updating the repo, regardless of if the plugin has a site crashing bug or a security issue.
The plugin directory situation has gotten so bad that people are starting to avoid installing free plugins.
Fix it. Please.
Everyone who loves WordPress
PS. I stole the emoji graphic from the great article on The Oral History of the Poop Emoji.