Karanbir Singh wrote: 
Ned Slider wrote:
  
We (in my day job) see the same security issues for Joomla based sites 
when modules are used to extend core functionality. Site 
developers/owners are quick to extend functionality by installing 
additional plugins but then don't want the responsibility of maintaining 
multiple packages/plugins on the server. It just adds a further layer of 
complexity as any plugins need to also be separately monitored (and 
maintained) for security updates.
Drupal 6 core has a built-in Update Status feature to keep the site admin up to date with new releases (contributed modules and security releases). It synchronizes with drupal.org and warns you when there are new releases for your modules. The update path is fairly easy and automated. using cvs to check out Drupal and its modules can save you a lot of time.

yes, and its things like this :

http://drupal.org/node/313054

which are quite scary.

This is what happens when you don't use the Drupal API, which saves the developers from having to worry about common security issues like XSS, CSRF, SQL injection etc. In that way it's very quick to evaluate the quality of a module: you just need to check whether they make good use of the API or not...

scor,
http://drupal.org/user/52142