I personally think it's mostly a popularity thing, since WordPress pretty much owns the blog market. I think the other problem, however, is just with how simple they've made it to accidentally backdoor your site. There are thousands of plugins for WordPress, installable with just a couple of clicks, written by people who know nothing about security, or have possibly even maliciously left holes in their plugin. Unlike large projects that are generally maintained and reviewed by dozens of people, a plugin is usually written by one person who could just decide to backdoor your site in the next update.
I've got a couple of moderately popular plugins, and every time I release an update I think about just how easy it would be to take over thousands of sites by just adding a few innocuous-looking lines of code. Except I'm not evil, so I don't.