Currently when a plugin is reported to have a security vulnerability it is removed from the plugin directory until the vulnerability has been resolved, but no warning is provided to anyone who already installed it. While many plugins are promptly fixed, there are quite a few that remain vulnerable for a long time or are never fixed. WordPress should alert on the Installed Plugins page in WordPress if an installed plugin has been removed from the directory and provide at least a general reason it has been removed, as many are removed for reasons other than security vulnerabilities, so that appropriate action can be taken by admins. In many cases the details of the vulnerability are publicly available, so not providing a warning that a plugin contains a vulnerability will not help to limit the chance of the vulnerability being exploited.
We have created a plugin that provides a more limited version of this functionality until the issue has been properly resolved.