Yes, because no full review is made of the plugins.
This was discussed in the topic plugin recomendation and generally at the plugin implementation.
In order to do this, the plugin would have to be reviewed ever time a new relase is published , but manpower is lacking for this and the plugin would not be allowed to be published until it has been reviewed.
And yes any plugin can contain malicious code, recomendet or not.