I'd just expect a company to do more for my money than just applying a crack - i can get this anywhere else for free.
If a crack is the last resort to remove DRM, GOG should be open about it, and not just settle with a statement on page 9 of some game-specific thread.
Besides, how would you know if it's not a security issue? On arcanum, it was simply discovered. Now Moto Racer, it's a bug already. What makes you sure it isn't malware next time? Since obviously GOG's QA ain't for the best...
You are not paying for the crack, you are paying for the game, rather than "stealing" it from a site like Abandonia (there is no such thing as "abandonware", it is really all just software piracy). The use of a crack is just part of the whole removal of DRM/ensuring compatibility that GOG does. Again I ask, if there is no source code/gold master, what exactly
would you have GOG do? Not sell the game at all? Release it with the DRM intact?
Again, there is no need to be open about it, there is really nothing being hidden here. When a game has source code or a gold master available, then GOG takes care of packaging it without the DRM. When there isn't, a crack might be used. It is not a "last resort", it is just part of the process. I don't understand why anyone would be surprised by this. It seems to me that you are concerned over nothing here.
Performing a QA test on a game has nothing to do with verifying that an executable is not a security risk, they are two separate processes. I can be certain that this is not a security risk because GOG verifies that all their games are malware free prior to releasing them and at the same time, of the thousands of customers GOG has, at least some of them must run their own anti-malware scans. If any one of GOG's files were a security threat, we would know about it almost immediately. We've already seen that when one or two of their game installers produced a "false positive" alert from a particular anti-virus product (the anti-virus company admitted it was on their end, not GOG's). Besides, any company that doesn't take that simple step of running their files past a virus scanner before releasing them publicly is just asking for their business to fail. GOG is smarter than that.