I am not a R user (using primarily julia and python), but can you expand on the insecure aspect of CRAN. Do you refer to (potentially) missing package signing (similar to [1])? I am not aware that python or julia support this either. Or is the software download over ftp/http instead of https?
[1] https://wiki.debian.org/SecureApt