The WordPress Contact Page has contact information, including the security alias link. Although it's not on the front page, I hardly call that obfuscation.
This doesn't belong on the home page, or in the dev blog, for several reasons. First, the number of people at risk from this exploit are comparatively few. Second, it's a problem that affects more than just WordPress. Yes, we are taking steps to mitigate the risks, but if your hosting provider has
register_globals enabled, despite the default configurations in PHP 4.2.0+ and the warnings about the matter that have been made for quite some time, you can hardly solely accuse WordPress of being insecure. You should also contact your host.
We've shared several ways that users can resolve the problem:
register_globals = off in your php.ini file
php_flag register_globals = off in your
Security concerns are a delicate matter. As I said before, we have an obligation to our users to remain calm, and to thoroughly evaluate our response. It's easy to point out security problems. It's harder to fix them. You are invited to help us fix them.