I don't think you can blame the templating system when the plugin system is vulnerable to precisely the same issues, namely arbitrary code execution—except, of course, that the attack profile is so much broader for plugins since people will only have one template running (or two if they're using a child theme), but typically, many plugins.