I have been assuming that joomla! is masked in portage for the same reason my friend's site got hacked a few years back: because of an exploit known as cross-site scripting (XSS).

As it turns out, joomla! is susceptible to an exploit that is new to me cross-site request forgery: (CSRF).  It took a little while to digest how this might work, so I will not attempt to improve on the excellent explanation of CSRF attacks at wikipedia.org (which is where that last link takes you).

It came as some surprise to me that combining online banking with surfing an insecure yet otherwise ostensibly trustworthy forum could enable a criminal to steal from you!  I'm almost afraid to ask: what will they think of next?!?

What is worth saying here is that once I get to a good stopping point (or run out of savings or both) I will want to find another "real job"
and will not be able to monitor this site on a daily basis. Developing these sites is fun but I will not let them interfere with whatever duties are mine when I find and accept the next opportunity.

And it's for these reasons - CSRF attacks and my being a strictly part-time webmaster - that I have no intention of enabling comments here at any time during the near future.

Sorry to disappoint you but this is indeed for your own protection!