Steps to reproduce

• Install the latest Jenkins weekly (at the time of this writing, 2.346).
• Go through the setup wizard, installing all suggested plugins.
• Install some of the plugins on the first page of available plugins. I installed Blue Ocean, Maven Integration, Docker Pipeline, Subversion, Config File Provider, jnr-posix API, Role-Based Authentication Strategy, Publish Over SSH, Jira, Pipeline Utility Steps, Copy Artifact, Rebuilder, Slack Notification, AnsiColor, Job DSL, and Amazon Web Services SDK.
• Go to the plugin manager and look at the available plugins.

Expected results

Non-deprecated plugins are offered before deprecated plugins.

Actual results

Pipeline: Declarative Agent API and Icon Shim (which are both deprecated) and Extended Choice Parameter (which has security vulnerabilities) are offered before non-deprecated plugins without security vulnerabilities. This seems bad, as the order in which plugins are presented to users is an implicit sign of endorsement. We should not be implicitly endorsing deprecated or vulnerable plugins by offering them to users before non-deprecated and non-vulnerable plugins.