Actually wrong at several levels. First, the free version includes all the security features. Xpack was always free (as in beer) and easy to enable when that still was a separate thing (it no longer is). After they changed the license for the whole of elasticsearch to be similar, xpack is no longer a separate thing. You just get the whole product. For free. There are some paid features in there but they are mostly related to high value stuff related to e.g. machine learning.
The "security issues" mostly stem from people intentionally running it without a firewall completely unprotected on the public internet. And then they put important data in there. Simple solution: don't do that, it's stupid and negligent and it's 100% your fault if data leaks like that.
You wouldn't run a database on the internet either. But if you must run it on the public internet, just put nginx in front of it with basic auth and https. Problem solved. Not that hard.
Alternatively, use the hosted version which doesn't allow you to do that at all and is nice and easy to get started with.
The "security issues" mostly stem from people intentionally running it without a firewall completely unprotected on the public internet. And then they put important data in there. Simple solution: don't do that, it's stupid and negligent and it's 100% your fault if data leaks like that.
You wouldn't run a database on the internet either. But if you must run it on the public internet, just put nginx in front of it with basic auth and https. Problem solved. Not that hard.
Alternatively, use the hosted version which doesn't allow you to do that at all and is nice and easy to get started with.