I have actually considered this, but I can't give you an answer to your question yet. I can tell you what I have in mind, though.
Joomla! is a much better designed system when it comes to security. All requests have to go through the index.php file of the back-end or the front-end. When a developer uses a directly web accessible .php file They Are Doing It Wrong. Moreover Joomla! has predictable directory names for extensions' media files, images and so on and so forth. Moreover, Joomla! has a predictable collection of plugin events which are fired by the core in predictable ways.
WordPress, on the other hand, is what we can best describe as chaos, anarchy and havoc. WordPress itself has a gazillion directly web accessible .php files all over the place. Its plugins do the same and, worse, are expected to do that. The wp-content folder is a complete security clusterfuck, hosting code installed by the administrator (plugins, themes), core code (upgrades) and user uploads (in the uploads subdirectory). Three sources with different trust levels under the same folder. The plugins subdirectories also have a mix of executable code, directly web accessible files and media. Adding insult to injury, about half of WordPress' hooks are not launched by the core but by the theme itself. And no, there is no hook which is guaranteed to run before anything else in way that would make a web application firewall practical.
Basically, it's a losing battle. Over the last year or so I've concluded that WordPress cannot be secured as tightly or easily as Joomla!. If we start with a security model which allows by default WP plugins to operate unhindered we have a TOO LAX model which allows hackers to upload and execute malicious files (hack scripts), the number one cause of hacked WP sites. If we start with a strict security model it will take a hell of a lot of effort for users to come to a working setup and it STILL comes down to how much you trust the developer of your plugins. After all, you'll have a lot of directly web accessible .php scripts which completely sidestep WordPress and, by extension, any security solution you've got installed. Remember a few years ago when tons of WP sites were hacked because of extensions using an old, vulnerable version of TimThumb? Admin Tools for WP could never protect you from that for the reason I just mentioned.
Since we also lack a suitable hook which guarantees execution at an early load stage we can't even be sure that we'll be preventing things like SQL injections and CSRF attacks. Actually, since WP has a very thin API we can't realistically offer features like UploadShield, XSSShield, DFIShield etc. The norm in WP is to have subpar code directly reading from the $_FILES, $_GET, $_POST and $_REQUEST superglobals directly. In Joomla! this code is considered shoddy at best: all developers MUST go through JInput to get access to the request data.
Then we have the way the core of each CMS operates. A recent attack in WP comes from the fact that it neither filtered nor escaped the comments entered by users when they're longer than the comment body database field length. This is a childish mistake. The Joomla! core is so much better at preventing this kind of attacks, mainly because there are centralised points of enforcing content security. Again, a security solution for WP couldn't catch those attacks (OK, maybe XSSShield could catch this one, but that's a big MAYBE...)
On top of all of that I have to keep in mind that WordPress is very popular. So we have a popular, impossible to secure web platform. If it sounds like a hacker's wet dream, it is. They will attack it relentlessly. Considering the subpar quality of the code of most plugins I've seen (some of the most popular ones!) and the abysmal code quality of the themes commonly used (see: ThemeForest) we're talking about a security nightmare.
Sure, I could write a security plugin for WordPress just like other companies have done. The difference is that the other companies are in it for the money, our company actually wants to offer good quality software that really works. A security product for WordPress is doomed to offer a very partial level of protection at best. It can never live up to the quality standards I have for our code. Additionally, since it's doomed from the onset, it would cause a lot of support requests and a lot of lost user trust when their site is hacked not because our code failed but because our code was entirely sidestepped by a shoddy plugin or theme. I can't prove I'm not an elephant. With Joomla! we had to do that very few times and it was almost always apparent which 3PD extension acted as the backdoor (typically written in such a way as to sidestep critical protections offered by Admin Tools).
For all these reasons I'm not inclined to spend any of our time writing a security plugin for WordPress. If we did we'd have to charge a lot of money and spend disproportionally lots of our time on it, always knowing that it would never make WordPress as secure as Joomla!. That would act as a distraction and eventually lose us money. So no, most likely you won't see Admin Tools for WordPress in the foreseeable future. You have to live knowing that having a WordPress site is like driving a car with one NCAP star: it may drive fine but if you crash you're unlikely to survive.
PS: I am considering moving my blog from WordPress back to Joomla!. The last security issue made me shut down comments, so why should I use WordPress at all?
Nicholas K. Dionysopoulos
Lead Developer and Director