Dovecot was designed since the beginning with security in mind and with many ways to provide privilege separation. Although the code is written with C, it's a little bit special C variant that makes it much more difficult to write security holes accidentally than with most other C-based projects.
Please see https://www.dovecot.org/bugreport-mail for more information how to report bugs.
Below is the list of all security holes found from Dovecot. Note that most of these are quite minor holes.
ACL plugin has mainly been used for some simple ACLs and sysadmin should have always tested that they work correctly. But as the ACL plugin has recently been developed more, bugs have been found and distro people have treated them as security holes. I think it's highly unlikely anyone really cared about those. The brokeness of the functionality would have been immediately obvious.
Blocking passdbs allowed to log in without a valid password in v1.0.11 and v1.0.12 (released 5 days ago).