Your lack of understanding of PCI DSS is amazing!
Quotes and links to official PCI DSS documentation below:
In a document above, ("getting started with PCI DSS") on page 1 you can find "PCI Data Security Standard Requirements" table. One of the points for merchants is:
6. Develop and maintain secure systems and applications
There are number of requirements that cover secure system and applications but the bottom line is: if you use a 3rd party software there is a chain of dependencies. Merchant has to confirm that the software developed by a third party is compliant with PCI DSS.
In terms of PCI DSS SAQ D, you have provided incorrect information again as PCI DSS SAQ D applies to all the merchants that take payment on their websites and hence merchant has to be compliant with PCI DSS the chain of dependencies on a 3rd party software is required.
Last but not least, I'm not sure whether it was a deliberate act of misinformation or yet another example of your understanding of PCI DSS, but your comment regarding being able to "to avoid the hassle of PCI entirely" is simply wrong. Even with payment gateways paypal standard or sagepay form integration merchant is still required to be compliant with PCI DSS SAQ A as per page 2 of the same document.
Call sage and ask them what is "Simplified PCI DSS compliance" - and tell me if I'm wrong ;)
In short WooCommerce representative, including yourself have no clue about security and therefore thousands of clients/websites are at risk!
I have spent many hours on various conference calls, meetings and exchanging emails during our recent PCI DSS assessment + I have been reading a lot about those subjects. I'm confident that information which I have received and in turn published on this forum is accurate and it's supported by official documentation from reliable sources.
I have send a link to your response to our PCI DSS consultant... In response I have received: "Now you know why we won't certify any website that runs on woocommerce".