I've done a massive amount of deployments with various PHP based web-CMSes, mostly Joomla and Wordpress. And while they're all built on ancient hacks of incredibly crappy architecture and application models, the type that lets you stand back in awe and amazement vis-a-vis the utter shittyness of each of these webapp-hodgepodge behemoths, I like WordPress the best, because at least I don't feel dirty when building a quick hack with it *and* I actually *can* build a quick hack with it.. Unlike, for instance, Typo3, which is truely FUBARed.
WP is an entire hack in itself - sort of like an extension of the non-existant PHP philosophy it's built with.
However, as for the WP security record, I am honestly suprised how good it is. And before you start laughing, keep in mind that there are an estimated 50 million actively used installs of WordPress running on the web, with more than 80 million in total.
Yes there are security updated every odd month, yes the plugins are a mess and yes the people deveoping for and with WP and building extensions for it couldn't code a proper class if their life depended on it. And they should be prohibited by law to approach a keyboard. But they do get the job done and it's exactly for that very reason that I'm suprised how well the core team keeps up with stuffing the most prominent and dangerous holes, often before anybody else discovers them.
I'm quite certain this hole will be plugged in the next few days aswell.
Measured by it's install base, WordPress security actually is quite impressive. There is no other WebCMS with such a marketshare out there and I doubt any other product would be measurably safer. ... My 2 cents.