In theory I agree, but word documents and excel files and webpages and emails aren't exe files either but enterprising virus writers have figured out ways to make all those non .exe files successful delivery mechanisms for viruses.
The point is made, but those applications are exploitable because while their files are not directly executable, you can embed stuff like VBScript in them -by design- that CAN be executed. Granted, I'm no uber-hacker, but I cannot think of a way to do that with a myth plugin because there is nothing that opens them in that fashion and it dies as invalid if it can't see/open the collections it is expecting. The closest thing I could think of would be to embed an executable in a collection, but given that the engine simply loads those as Strings or Images I don't even see that as feasible... and I don't see any way that you could add scripting that would shell out or anything like that.
This sort of thing though is why it should be a client side thing anyway, so that the game client can validate that the file is a plugin as it would be trivial to make it not available if it can't be loaded as a plugin. If it can be loaded as a plugin, the liklihood that you could also craft it to behave as malicious within MS Word or something like that DRASTICALLY reduces simply becasue of how picky Myth is.
As for bandwidth and not everyone having fast connections.... it beats the hell out of expecting someone else to always foot the bill, and more importantly having to rely on that one thing for a centralized download area (see life without The Mill). Besides, if you follow the Torrent/P2P model anyway, you have the ability to limit or turn off upload speeds.... it's not rocket surgery.