This whole process lacks transparency.
The programme should be open and formal, not just via an adhoc PM request. There also should be documentation on what secure means in the context of "certified secure" and also for that matter what is checked to meet this security.
The program should be about encouraging better coding especially WRT security. It would be helpful to set out the basic minimum security coding standards for common functions, including examples of secure and insecure coding. That way we could do that up front and the code would be more easily checked and the dev experience put to looking at more complex functions.
Also, in fact, "certified" is misleading, since it isn't certified in any way at all. It is still released under the "no warrantee, no comeback" GPL license and like the core code not actually certified as fit for any purpose whatsoever legally.
What it means right now is:
"I paid a CPG-Nuke DEV a bunch of cash to check my code and he said it was all right security wise".
This is fine, and IMO, still useful for the first module checked. I pay to benefit from their experiences, however this would become old real quick after 3 or 4 modules and going forward it would be of dubious value. I mean, I match all my competitors on price as it is, so I don't stand to make a lot more from sales by getting the tins stamped "Real Meat".
Also how does this work with upgrades? Version 1.0 certified secure, then I release 1.1. Do I need to get it recertified? What about bug fixes (say in the formatting).
In any case, doesn't this all end up about as useful as "Contents Hot" on a coffee cup - true enough to scold your privates when you buy it but just wait a bit a it's a total lie.