First, it's not a workaround to remove the install directory after installing MODx; it's a absolute requirement, and there is even a checkbox that will do it for you if PHP has permission to remove the files.
Second, no one at or associated with modxcms.com was notified of this in any way, shape or form, on June 16, 2010. How is this a medium severity? This is absolute nonsense, total FUD, and a complete non-issue. You should never leave the install directory in place or you have much bigger problems than XSS injection.
