From this thread: http://wordpress.org/support/topic/security-review-process
It's not about proving WordPress is secure. The issue is a public perception and confidence in how secure WordPress is.
It would be nice (and I think necessary) to have a single page, under the WordPress.org site, that:
Acknowledges there IS a security team
Identifies the team's objectives
Identifies Proactive tasks
Identifies Reactive process/tasks
That's it. That's all I think we need to help eliminate most of the misinformation and rumors.