3 outdated plugins cause a quarter of WordPress security breaches
A rather interesting article from Softpedia told me something else I didn't know (one more drop from the ocean of my ignorance). It seems, although the practice is allegedly no longer common, that some theme developers embedded plugins within the code for their themes.
This, of course, makes the usual method of updating plugins unworkable. And any users of those themes in ignorance, presumably. Responsible developers mentioned in the article include ThemeForest and Mojo Themes, although there are others.
The article throws a few stats around and pings the 3 worst plugin offenders. Here's the link: