[Vanderson]

I guess I am looking at it from a systems building perspective. If you can control the rules for what files are allowed to run (ie limit them to something like "plugin.php" or a directory like /something/something/plugin) then add access rules to the server (again, by default shouldn't be hard) to limit running files to those rules.

Then you have a lot smaller surface area of potential problems. I am not suggesting it has to be required by WP, but at least "available". This wouldn't cause any sort of popularity concerns or ease of use either.

Any plugin that wants to be more secure just follows some rules outlined by WP parent-corp and add the .htaccess (or whatever) rules and presto, more secure.

I don't run WP anymore than for testing stuff, can you really put a file anywhere by default and it's executable?

[ahje]

In most cases, yes. Most shared hosting providers will execute all PHP files as a default, although it's quite doable to block access using rewrite rules or custom access controls.

Problem is that the majority of WordPress users lack the know-how to do it on their own, as well as the will to pay for someone else to do it for them.

Web hosts aren't interested because supporting it would be a nightmare due to the millions of possible plugin/theme combinations.