WordPress as a platform targets the easy-to-use market and thus has a lot of site admins who are not savvy IT people. The auto-update system built into WordPress addressed a large part of the security problem, namely people who don't actively update their software.
One glaring shortcoming to the WordPress development model is that they don't keep a set of stable releases. The WP core group wants you to stay on the most recent head version to be secure. In practice they have patched previous releases going all the way back to 3.8 but you definitely get the feeling that this is a half-hearted stop gap while they brow-beat you up to the head version.
Linux distros went through this growing pain 15 years ago with the introduction of enterprise distributions. It is about time that the WordPress foundation recognize that they are no longer a small time blog package. They need to introduce long term supported releases for the stability of their platform.