Since people are disagreeing with my comment, I'll add some extra information (apparently I missed the editing time window, but I stand by my original comment). I should note though that I was talking about Chrome (I don't know what the deal is with Firefox).

If you go through the Chrome bug tracker, you can find several instances where Chrome engineers point out that Click-to-Play is not meant to be a security feature, and that the "Block all" setting is what is actually secure. There are several bugs which demonstrate ways around Click-to-Play which are closed as "WontFix". A quick search yields the following quotes from Chrome engineers:

"Yes, this is why click-to-play is designed as a convenience and not a security feature. If you want plugins blocked in a way that cannot be click-jacked, use "Block all," which requires a protected browser interaction (context menu, page action, etc)." [0]

"The "Click to play" setting is not a security measure. If you want to securely block plugins you must use the "Block all" option, which is a bit less convenient than "Click to play," but provides a click-jack resistant, browser mediated interface." [1]

"I'm kicking this out of the security queue because it isn't a security mechanism ... The secure method of blocking plugins is to select "Block all" and right-click to run. Whereas the "Click to play" feature is for convenience and performance." [2]

"It's not a security feature..." [3]

[0]: https://code.google.com/p/chromium/issues/detail?id=176724

[1]: https://code.google.com/p/chromium/issues/detail?id=225636

[2]: https://code.google.com/p/chromium/issues/detail?id=160707

[3]: https://code.google.com/p/chromium/issues/detail?id=414232

I'm sure there are other instances where they talk about it more, these are just the first results I found.