Kudos to you. I did a quick survey of most of the checked modules in our site outside core. Drupal 8.0.0 was released November 19, 2015 according to Google and close to 60% of the modules we have in use have no D8 equivalent. A few have something at some stage of development, but nothing at even a alpha or beta release level. Some that do have D8 equivalents are only at alpha or beta stages.
The core developers do Drupal. The plugin developers generally work on drupal modules as a sideline or fun project. I realize that relying on the second tier has this associated cost, but core Drupal without some of the addons really doesn't work in most environments. So making the upgrade easier would be a benefit to everyone (even if the automated solution wasn't optimal). The 5 to 6 and 6 to 7 paths also had very long delays for plugins, so this isn't new. Some were abandoned, sometimes with a different module suggested that may or may not handle the database the same.
Security in core is good. Security in the whole Drupal eco-system has the same risks that WP has when the learning curve takes a new bump every couple of years for people not involved in core development.