Hendrik Buchwald has done a fascinating breakdown of security vulnerabilities in plugins, with analysis of detected vulnerabilities by type and by how many lines of code are in the plugin.
Surprisingly, their software didn’t pick up vulnerabilities in the “vast majority” of plugins. But that is correlated with the fact that most plugins have fewer than 1,000 lines of code. As the code quantity increases, the likelihood for vulnerabilities does as well.
By far, cross-site scripting vulnerabilities are detected the most. Anyway, this analysis is somehow both reassuring and terrifying.