You can find some interesting security measures at WebStart.php Checking register_globals for overwriting, the use of a define for entry point so undefined variables can't be abused even with register_globals... Some other security checks are the user-agent forbidding of action=raw for IE (it detects html while it's not) when not using index.php (now changed for any browser), the manual verification of user variables instead of $_SERVER for getting the user ip... As Mediawiki grows, it learns new tricks, sometimes when attacked ;)
And then obviously there're our developers ready to detect bugs. Brion reviews all mediawiki changes, and no extension goes live to wikimedia servers unless it has been verified by a sysadmin. Which OTOH produces a bottleneck on some requests. Or delays for big code changes.