This issue has been reported privately to the security team but it was decided to handle this as public security improvement since no direct vulnerability is involved. This issue was reported by Matt V.
Problem/Motivation
The Update system by default does not report modules and themes that are disabled. Because in Drupal 6 and 7 the administration theme can be in use and disabled at the same time, a security vulnerability of a theme used as an administration theme may be not reported by the system.
Proposed resolution
We should fix the Update system so it also reports about disabled themes that are used as an admin theme.
Remaining tasks
Write a patch against update.module?
User interface changes
none.
API changes
none.
As far as I can see this has already been fixed in Drupal 8:
#1067408: Themes do not have an installation status
#542828: Do not special case disabled admin theme