I am fairly new to WordPress but not new to websites. I've been managing my current site for about a year, keeping WordPress Core and all my plugins up to date. Then last month I got hacked.
I still can't say that I have determined the point of entry for sure, but I was SHOCKED! to find out that all the plugins and themes that I am not using can still execute code. This was especially surprising to me since I have gone to the trouble of deactivating everything I am not using.
Now for the purposes of child themes, in can understand the dilemma of requiring some cross-referencing of folders that are not technically active, but in all other circumstances I can see no excuse for this situation. Heck, WordPress now detects if you are using a child theme, so why even leave any of these themes and plugins in executable directories? At the very LEAST disabled content should be blocked with .htaccess files, and maybe web.config files for the Windows blokes (like me).
Since I realize that this change would be major enough to possibly break something things, I think version 4.0 is the right time to handle it. For an application that consistently pats itself on the back for how secure it is, this seems like a ridiculous hole to let slide.