Kylo actually it was kind of the point of implementing that. To be able to warn against outdated or vulnerable extensions.
I have never implemented the vulnerability part for extensions because we've had so few instances and nothing serious yet I believe. If a serious vulnerability is found in an extension I'll give priority to get this feature implemented.
Just like I now do for configuration issues, those reports would get a D rate and be hidden from the homepage.
I don't think offering this feature on the lab causes any more significant risk. Doing what I do is very easy. Any bad actor could easily create a tool that does the same but scans many more forums much more quickly.
In my opinion offering those features on the lab empowers the forum owner because those are checks they might not be able to easily do by hand. Even if someone else scans someone's forum I'd hope they will report their findings to the owner.
If I see vulnerable reports passing by and know who owns the forum, I usually try to ping them if I see the issue not being fixed after the scan.