if is hard just hire someone who knows how to do it. there’s no excuse really, envato is not a low budget company, and security is very important.
I really hate bundles, but if you really want, you can make a bundle sale just to pay for this security update. I will be the first and greatest fan of this particular bundle.
What if someone hacks one of those user accounts that bought 500+ items? Even if the thief will not purchase something with the money from that account, it can download a lot of files and no one will ever know.
We can understand if some request from the community are not implemented for various reasons, but security should be top priority.