WordPress was created for writers/bloggers. It makes little sense to me to expect the typical WordPress user to be able to tell if his host's server is secure enough to compensate for an unsecure plugin.
And what if someone's server is not secure enough? Will the user be able to convince his host to upgrade server security in order for him to be able to use chmod 777 safely? With my current host, this kind of request would quickly take the form of a earful of bad language against WordPress (I'm switching to more WordPress-friendly host next week, by the way).
It seems to me that expecting too much from both users and hosts can only mean negative consequences for WordPress.
Spelling out in the plugin instructions what is required to make the plugin safe would be a minimum, woudln't it?
I'm not a programmer, just a user that got some strong warnings about chmod 666 and 777 drilled into him and is now very puzzled.