A big part is also that wp.org is very tolerant of malicious-adjacent actors.

Actual malware? the plugins will get blocked.

Plugin randomly starts injecting javascript from a third party domain that displays some football related widget with affiliate links? they figured that's perfectly in the (new) owner's right and rejected any action even though it was a classic bait and switch with an entirely unrelated plugin.

At some point you have to assume it's by design.