Disable insecure modules

Obviously, that wouldn't work for when update.module discovers an insecure version of core. :( And, this strikes me as a potentially very bad thing to disable modules automatically. What if, for example, an access control module or a login-related module is deemed to have a security vulnerability? Disabling the module might be worse for the security of the site than the vulnerability (e.g. on a site that only allows approved users to post content, XSS might not be quite as much of a concern, but disclosing a bunch of private content by disabling an access module would be a huge problem).

So, I'm inclined to say this is a bad idea, over all. At best, I'd say someone should work towards exposing "module foo is insecure" to actions.module via http://drupal.org/node/158541 and then letting site admins click together some kind of crazy policy to decide which modules are ok to auto-disable, etc. Therefore, won't fix.