Re:Vulnerabilities galore! (Score 1)

You're right, but it appears that what many people consider core functionality exists only in third-party components.

Well, maybe. But I'd say that's debatable, and probably an argument that can never be solved satisfactorily. Personally, I like the fact that they've kept a lot of stuff OUT of the core. Makes the initial setup pretty easy, if you only need a very simple site.

What would be useful would be a two-level system of components: Trusted, peer-reviewed, security-tested components and then a free-for-all category where you rolls the dice and takes your chances. Put the priority on testing the popular stuff.

Even then, I concede that any system, however rock-solid it may be, is a problem if it allows (or encourges) the installation of untrusted components by novice users. But novice users will always find a way to trash the security of their own setups. Security requires vigilance, and people are lazy.