Also, themes are difficult to update. Compared to plugins and the Wordpress core, theme updates have these problems:
1. First, themes do not notify you when they have updates available.
2. It takes an expert to merge a theme update with the existing customization of the theme. (Plugins and core updates are one click.)
3. Theme vendors limit their support. I dealt with a well-known theme vendor which charges some small amount for a subscription to all its themes. It refuses to provide archive versions or changelogs. So the expert is left guessing what customizations have been made, unless some previous person working on the site has keep a copy. (Plugins are more commonly from the WP site, with changelogs and archives.)
4. Users keep unused themes lying around online and see no reason to update them. (This can also be a problem with inactive plugins.)
5. Wordpress core can do nothing to protect against bad code. A theme can run arbitrary PHP, as can any admin user from the admin interface, as mentioned by parent. (Plugins are similar, though runtime the active theme has priority over plugins.)