You should never ever modify core files in WP. If you find you have to, file a ticket for a new hook or filter so your modifications can be a plugin — it makes things so much easier.

The security report may well be bogus, and Matt gives some reasonable advice for avoiding security issues, but I think this is a bit rich. Never ever. Emphasised. Okay, go and open a ticket, it will all be fine. I'm fairly sure that the WordPress terms of service (no, no, we're talking about the self-installed software, don't go looking at the WordPress.com terms of service) don't say anything about guaranteeing tickets are addressed in X days. Of course they don't, Automattic is not a support company for self-hosted installs unless you want to pay for "enterprise-level support for large-scale users".

As of this writing there are 944 open tickets, dating back to the start of 2005. Many of those are enhancements, some trivial, some critical. What's going to happen to your ticket? If it's a critical security or data loss issue, it may well get addressed immediately, as I'm sure the original SQL injection attack ticket would have been if there'd been more information, and if it actually exists. Those don't come up very often, and it's likely that it will take a while before your ticket gets addressed. Maybe I'm wrong, and requests for hooks or filters do get addressed immediately, but then you either have to be running out of the subversion trunk or wait for an upgrade anyway.

Now, I am absolutely not criticising the fact that there are lots of open tickets. That's the way things happen in open source software, and to a certain extent it shows the software is a success. But it is unreasonable to suggest that just because you've opened a ticket the problem will go away and you'll never have a reason to change core code.