But it is a reason to demonize them, just as if they told everyone to use telnet because they didn't feel the need to support OpenSSH. Package signing is a basic security feature that people just expect to be there these days.
Not just intimate with Arch, but with the pacman source too which is what would take the most time. And there's the fact that most people can't actually program even if they're comfortable using Linux.
But Ubuntu started as a fork of Debian, which was and still NFP but still actually cares about their users even though most of the devs aren't involved with any of the official support options.
I don't see in there where it says that the base system is built with fairly large security holes and that no one should use the system unless they're prepared to deal with them.
Say a bunch of software engineers develop a distribution for themselves, and only for themselves, as a hobby. Then they publish it on the internet in the hope of attracting other software engineers to improve it. The distro is good in many ways and attracts non-software engineers, which was never its intention. Do you really expect the original team to accommodate them when that was never their intention? It's like expecting someone driving a mostly empty bus to pick up, feed, and transport every hitch hiker they see to each individual destination just because they have the room.
The pacman source code is available as as well. And I think the original attitude was that this was a distro for coders. Hence the user-centric bit. Not that this should or shouldn't change, but that's where it's coming from.
The issue isn't arch's devs as a whole, most are doing their jobs just fine. Dan's being a little selfish, but given this is his hobby I can understand that. Like I said a lot of people have had the stones to bitch, but none to replace him. He's all we've got for the time being. As for the community, despite what "The Arch Way" says it is very helpful. The forums are dedicated to arch with no off-topic sections, making most responses informative at the least. Hell the verification question is entering an obscure, ass-backwards, terminal command and supplying the 40-60 character string it produces. There have been threads of noobs on other forums just trying to figure IT out. Not difficult in reality, even for a noob, but shows the kind of person they want to attract.
And no where is Arch really advertising itself. It doesn't even mention security on its front page, or its mission statement. It was built as a hobbyist distro. I'm not saying that excuses security holes, but it explains why they're there. My attitude, in traditional arch form is "alright, I've been itching for a meaningful project for a while anyway. Why not this?" So as a coder I'll get intimate with pacman/other related packages and see what I can do. At the very least I should be able to make some helpful suggestions to speed things along.
And just to clarify, aside from the package signing issue, arch is as secure as you make it. You mention holes plural, but I've never heard of any others.