It’s time to clear up the debate once and for all. Despite all the doubts (and some haters), WordPress core is without a doubt one of the most secure platforms you can choose to put a site on. Of course, a WordPress install is only as secure as the plugins it leverages — but that’s another post for another time.
That pretty much sums everything up but I highly encourage you to read the entire post as Jason Cosper brings up a number of good points that illustrate just how secure the core of WordPress is. Outside of the big brute force attacks on WordPress sites which really had nothing to do with the security of WordPress, I can’t remember the last time I updated due to a critical security vulnerability in the core. There are so many variables that are sometimes out of the control of the end-user. Unfortunately, all too often, webhosts put the blame on software such as WordPress when the real issue is their server setup.
Check out this comment from Mark Jaquith in 2011, in response to someone claiming that running WordPress was akin to running Windows 95 without patches, as comical as that sounds.