Yes and no.
With custom code that audit, should you bother, needs to happen once and then perhaps again when changes are made.
An open CMS is likely a moving target. Depending on the code quality and the familiarity of the audit team, an audit probably is easier, but how long is that audit really good for? What do you do when you KNOW you are running an insecure version as a hole has been found, but are not in a position to upgrade and re-audit the entire CMS? Do you get paid to keep the software updated to the latest version at all times?
It sounds very much to be like HBGary was a target who didn't feel the need to secure their own systems as well as they could have. I don't think an open or closed CMS matters that much compared to their perceived business priorities. How many open CMS products make the same mistakes of using a fast hash function like MD5? Without a salt or multiple iterations?
These problems are common. It takes more resources to fix them. Is it worth it? For them I can easily see them laughing all the way to the bank had one clueless individual not provoked Anonymous. They fired the vendor, that's probably the fix they intend on as far as their CMS goes. After all, if your admin is going to give out the passwords based on an email, does how you store it protect you?
For them the ROI of STFU was greater than fixing every best practice ignored. But they screwed that up too. I'm sure they could have screwed it up with an open CMS as well.