Delicious Brains' stuff was obviously going to make the list as they're another WPEngine acquisition. No idea what's the deal with the others though.
> Were they right to do so? It's complicated, but likely yes.
Going to disagree, there.
What did turning off some of the commercial features of the plugin have to do with the security fix?
WPE had already created a fix for the security issue. It was just being artificially being prevented from being deployed.
They didn't just fork ACF into SCF. They forked it, then took over all of ACF's reputation, rating, and are arguably committing trademark infringement in order to do so, none of which was needed for the security fix.
> The WordPress.org team
Matt says himself "I am WordPress.org. It's not a part of the Foundation" (but you'd be forgiven for thinking so, given that the website resides on the Foundations AS network...
As for the security fix itself:
It's not much of one. It hides some POST variables or doesn't populate them, but they're still present in the REQUEST supervariable. It's relatively pointless as a security fix because if there -was- an exploit for it, the exploit would still work with a simple "s/_POST/_REQUEST/g".
It also seems entirely likely that Matt directed engineers at Automattic to find something, anything, that could plausibly called a security hole so that he could artificially catalyze this situation into existence.