One is the past behavior of one developer who claimed to reverse engineer code that obviously wasn't.
The other is a mistake made in 2003, to which they've still not owned up.
You don't silently patch security issues, especially when they are discovered and fixed by someone outside the project.
Other than these, I have nothing but admiration for the project and it's developers.
