No, MVC is no magic bullet. I never said that. But MVC, or any other architecture that offers the same structure, is a basic requirement for writing readable, maintainable and proper code.
You want proof for Drupal not being secure? How about this: https://www.drupal.org/security. I'm sure you've seen it before.
To prove that something is secure, you have to prove the absence of security bugs. Proving that something is not present is practically impossible.
I can tell you, but not prove, that I have many Banshee based websites and none of them has ever been hacked. I even have used Banshee professionally and had the web applications I created with it audited by IT security companies. No security flaw has ever been found.
WordPress (core) is probably the most secure CMS out there
Because of the mess, it's easy to make a mistake and introduce a security flaw when changing or extending something. If you ask me, that's exactly the reason why so many plugins are insecure. Because it's hard for the plugin developers to understand the logic and structure of the Wordpress main codebase. Wordpress the most secure CMS? With this codebase? No, not now, not ever!!
that's more of a function of popularity than inherently "bad" code
I fully disagree. Yes, more bugs will be found when more people look at the code, but for bugs to be found, they have to be there in the first place. You won't find many bugs in a proper piece of code, no matter how many people use it and look at its code. So, I think it's a bad excuse.
- No, it doesn't use the PDO library. So? Its SQL library protects against SQL injection and it has a audit script to check for any bypass of this library.
- No, the tablemanager_model.php is not vulnerable for SQL injection. Everything goes via the Banshee SQL library.
- No, passwords are stored via PBKDF2, using SHA256 and 100,000 iterations, which is much stronger.
- No, not probably more issues. It's secure. If you don't agree, provide us with some real proof.
Next time, try to understand the subject you are talking about, before you make false claims and accusations.
- Drupal: slow, ugly hooking system.
- Joomla: spaghetti code, too complicated.
- Wordpress: security nightmare, spaghetti code.
All three are horrible products if you ask me. They should be avoided.
There is never time to do it right, but always time to do it over.