It’s an interesting semantic game, but ultimately not very revealing. The platform is what gave you the vulnerability; whether it was core, a theme, or a plug-in is a matter of trivia. Especially considering the plug-in “store” is curated. Contrary to your assessment I’ve deployed quite a few things with Wordpress before.