Almost all security issues with ES stem from their idea to keep authorization as separate, paid product (X-pack). On other other hand MongoDB had similar issues since they wanted to their product to be easy to setup and use, maybe for people scarred of pg_hba.conf.
Actually wrong at several levels. First, the free version includes all the security features. Xpack was always free (as in beer) and easy to enable when that still was a separate thing (it no longer is). After they changed the license for the whole of elasticsearch to be similar, xpack is no longer a separate thing. You just get the whole product. For free. There are some paid features in there but they are mostly related to high value stuff related to e.g. machine learning.
The "security issues" mostly stem from people intentionally running it without a firewall completely unprotected on the public internet. And then they put important data in there. Simple solution: don't do that, it's stupid and negligent and it's 100% your fault if data leaks like that.
You wouldn't run a database on the internet either. But if you must run it on the public internet, just put nginx in front of it with basic auth and https. Problem solved. Not that hard.
Alternatively, use the hosted version which doesn't allow you to do that at all and is nice and easy to get started with.