oh-my-zsh should rather follow the model of plugins and themes are stored in separate repo's and be managed via a different method.
I have been trying to follow the issues and pull requests for bug fixes and any security issues but it is impossible to keep track of issues actually.
I assume that Robby and the other devs also are being flooded with requests for their themes to be included into the git repo.
My suggestion would be to maybe do something similar to weechat and irssi do with their plugins and themes. http://weechat.org/scripts/ and then they use something like apt-get (weeget) http://weechat.org/scripts/source/stable/weeget.py.html/ to install plugins which IMHO makes sense.
The repo method also means that users can manage and maintain their own plugins and themes which should free up a large amount of the cruft.
Just a suggestion feel free to comment and or shut it down.
Guess it is a duplicate pitty your issue has been open for so long.
I agree on this.
OMZ should ship only the core plus a reduced number of essencial plugins/themes which can be consistently maintained by the people in charge. This allows pull requests to be reviewed thoroughly taking care of the security issue, making it less dangerous to (auto)update OMZ.
All the other themes/plugins should be maintained by their creators in their own repositories, be collected on a central gallery (with voting/download count), and be installable with the help of a utility (pretty much like, for example: homebrew, npm, sublime package manager or adiumextras)
This would increase the fun of it, and distribute the responsibility of the code maintenance and quality by more people.
At the same time users could chose which plugins are worth of being installed and create alternative plugins for those who suck, letting them be voted/downloaded by the people who appreciate them.
This is a better model then having to issue a pull request to the main OMZ repository in order to change/modify the code of a plugin/theme, leaving the decision of merge in the hands of a reduced number of people who are not the creators of that particular plugin, possibly hurting the intent and vision of the original creator of the plugin.
I agree with @aristidesfl