If you are the maintainer of their website it is your responsibility to protect this website from back door hacking. Your customers pay you after all in order not to have to bother themselves with these issues.
It doesn’t sound that right to pass the responsibility to your customers, who at the end of the day might not have the knowledge to figure out if the code of the one or the other plugin contains malware and then claim that it is not your fault but the plugin’s maker fault?
If you know at the end of the day that a plugin is vulnerable you can always replace it with something that does the same or similar job. There are literally hundreds of plugins for each and every imaginable customization, that many that it is difficult to choose which is better to use.