I'm not really disagreeing with you but is that really a security bug or even a problem with this plugin?
FTP (a horrible designed on a napkin protocol) requires that the userid/password either be stored somewhere or prompt the user each time. Prompting wouldn't make for a useful plugin.
Also if you do use those constants how is that different from a security point of view than what this plugin is doing?
Lastly, if another plugin is doing malicious things and executing code on your WordPress installation then what this plugin does is besides the point. Your installation is aleready compromised. ;)