I disagree and would love to see a source cited on that one.
The wp.org plugin repository, I can see that being true, but not the theme repository. They’re separate entities, managed by separate teams, too. I’m actually on the plugin review team, and I can say, without a doubt, that any theme you download from WordPress.org is safe as houses. I will not say that of plugins. Every single theme is reviewed, and every change to every theme is reviewed.
If I had to pick a number one source of exploited theme code, it would be themeforest, for exactly the same reason as the wp.org plugin repo: We don’t have ongoing oversight.