For some of these issues, I don't think it is necessarily that witnesses don't see them, it is that they are front-end issues and not blockchain-level issues/fixes which is ultimately what the witnesses are most involved in. E.g. ads - obviously integrating ads and even allowing targeted post promotion is easily accomplishable at the front end level and doesn't need any changes to the way the blockchain works.

RE use of steemconnect - that is totally not necessary, nobody is required to do that, and see e.g. d.tube as an example of a site that stores the posting authority encrypted in the browser so you can easily clear it at any time. I haven't followed your link to fully understand the capability based vs. identity based security though.

One thing I will say - you are absolutely right that there should be a bounty program or some kind of incentive to find and report vulnerabilities in the code. There is no excuse for it really. Steemit, Inc. has plenty of funds and I think it is pretty clear that there are other bugs and vulnerabilities to be found. I will try to ask around RE why this is not already the case.

Cheers - Carl