Regarding the need to build those URLs, I can't really figure out if there is a security improvement. I mean, everything is already protected by the /admin "middleware" so to speak.
However, the underlying reason I would do that is case-sensitiveness. In *nix-based systems, directory "Event-logger" is different from "event-logger" while in Windows-based systems it isn't. So if you happen to have those two directories in your qa-plugin directory, you are using Linux and the web server is configured to ignore case sensitiveness in URLs (I'm pretty sure there is a setting for that) then the web server will find two matches and one will be inaccessible.
BTW, note I was the one who has rewritten that part of the code and added the plugin manager class but I haven't actually modified the underlying logic from 1.7.x, just the structure. So hashes are still being used.
Regarding building the URLs in 1.8.0, check this function: qa_admin_plugin_options_path()
As a side note, concatenating strings is not the right approach to build URLs. Check the qa_path() function.