"Why?" is an easy question to answer. If a security vulnerability is found, and the developer notified - the next logical step is to issue a fix and update the effected systems. But how do those website owners know that an extension is in need of updating? This is where the very capable Joomla update service comes in. Developers provide an XML file which details the latest version of their software. The effected site owners are notified of updates and the world moves on.

Unfortunately, many developers are just hobbyists. Releasing an extension to the public is their way of giving back for the software they receive for free. It's how an ecosystem like Joomla grows. These hobbyist developers now have their extensions labeled "insecure" by the JED when this new plan went into effect January 10th (notice wasn't given to the developers until the 12th)

The Joomla update system has been available since Joomla 1.6 and has experienced a growing adoption. Still not all developers are on board. I have been moving everything to a system capable of providing JED update system capabilities for several months, and although I'm ready - only a few of my extensions use the update system currently. Because of this late notice, I'm under the gun to re-release my extensions with this capability - not an easy task when considering that I have over 30 extensions in the directory.