The security issue was with shared OAuth keys and installed through the “oAuth” method. Which was a way for people to install non approved smartApps through a webpage. This was changed by ST shortly after the risk was published.
With those apps only you know the key to access the smartApp. You can revoke it at any time. You need oAuth to communicate with 3rd party integrations, like Nest, Amazon, myQ, etc.
The real issue is installing untrusted apps into your system. Both CoRe and AskAlexa are open source so you can read through the code and make sure it is only doing what you want it to.
If it makes you feel better, I use both. Read through some of the code, and both are top notch.
This response from Alex and the talks in the thread are pretty solid.