My problem is that it positively encourages admins to run insecure sites.
As you say, this tends to be exactly the same group of users who won't have much knowledge about server security.
I know that other well known applications do this (Wordpress I'm looking at you). But I know experienced server admins who will not touch the likes of Wordpress.
It also relies on plugin administrators keeping their info up to date in the plugins database.