...and then someone goes and uploads an archive with renamethis.lua inside, with an accompanying text file that instructs the user to rename it to renamethis.exe and run it to install the addon. "Aha!" you say, "users wouldn't be stupid enough to do that!" If that's true, then there's no need to blacklist executables in the first place - but it's not true.
Seriously, it's not worth the effort of the Curse team to attempt to make a bulletproof system, then have to iteratively improve it as their reputation goes down the drain with successive attacks. WoWInterface and Curse do well to be extra cautious, as they are extremely high profile targets for people trying to harvest account information and/or deploy general malware.
If you don't agree with that paradigm, then there's always wowui, which attempts to automate the process and suffers regularly for it.
...and we haven't even gotten to the part where an automated process would also cause the site to degenerate into a mess of compilation and plagiarized garbage.
Though I do not know the exact details, there are ways to create "zip bombs" that recurses infinitively. The purpose is obviously to blow up virus scanning servers (specifically mail scanning gateways) that do not have a recursion limit.
Well, then just implement a scanner for custom uploaded zip files. If only safe extensions, then no human intervention is necessary, same as SVN.
That's what wowui.incgamers.net does, and it's turned into a game of cat and mouse between the site admins and malicious software creators. The last attack was something along the lines of an executable inside of a zip file, inside of another zip file, and their virus scanner wasn't smart enough to recursively extract.