Why are certain functions pluggable (overrideable) in WordPress core and others not? (I note on the Codex page regarding Pluggable Functions no more are to be added in favour of filter usage.)
But theoretically, would there be any security implications or other concerns for having them all pluggable – or is it simply so less pluggable code becomes incompatible with core updates?
Pluggable functions are less elastic than filters/actions.
You can have only one pluggable function “active” – so only one plugin can override the core function. And you don’t have much control over which plugin will it be (WP will use the pluggable function that gets defined first).
So it won’t be very useful if all actions were replaced by pluggable functions.
On the other hand, there are some cases that using pluggable functions may have some sense. wp_mail is great example, I guess. If you want to change the way the emails are sent – you can. But you still want only one such function (otherwise, if you install two plugins that are changing it, you can end with multiple emails sent for every wp_email call).
So it makes sense to use pluggable, whenever it is critical to perform an action only once, but you still want to be able to modify what action is performed exactly.