Securi released a post revealing that two popular WordPress plugins had a serious vulnerability.
it's not "bundling plugins bad", but "bundling libraries good". either is just code. *how* you bundle matters. dependency management!
— Andrey Savchenko (@Rarst) September 5, 2014
I agree with Rarst that there is no difference between bundling plugin, libraries or frameworks as they are both are just code. Eric wrote a few thoughts on “Dependency Management in WordPress“. WordPress is still not at the stage where dependency management can be implemented that the average user can use.
A number of themes use setting frameworks. There was once a discussion on the WordPress.org Theme Review mailing list and it was decided that theme developers should ship the themes with the integrated setting frameworks instead of installing the plugin version of the framework using something like TGM. By including the frameworks in the theme the developer is making the decision for the user and not giving him/her further options. Users find it confusing to see plugins that they do not remember installing. The settings frameworks are not the only frameworks. There are others like the metabox frameworks or theme frameworks.
One of my plugins is FluidVids for WordPress. The plugin makes it easier for people to use FluidVids from Todd. I regularly track updates and include them in the plugin. It the developers responsibility to track the updates of the libraries, frameworks or even plugins that they have bundled in their theme and update them as soon as there is an update.