A CMS, in a nutshell, is a bunch of HTML forms (it could be XForms in theory but I've never seen one that is), wrapped up in an RBAC layer, that allows site data to be updated through those simple forms... that's it. Those are the only common features - there are SO many CMS systems written for the LAMP stack, practically everything else is optional.
The point is that your CMS should be a controlled environment that's not available for anyone other than approved users to access. Since your users are unlikely to be coders (think the marketing department) your CMS will be pretty useless WITHOUT client side scripts - you ARE going to need a WYSIWYG interface to create the HTML (TinyMCE, CKEditor ... etc).
However, so long as your RBAC system cannot be easily circumvented (which is the tricky bit) though use of URI manipulation, CSRF, XSS, SQL injection and the like, the risk from using a CMS is fairly low whilst the benefits are enormous (e.g. you build/integrate the CMS and then the marketing team do the work of keeping the site/products up to date whilst you drink tea and eat biscuits... erm, I mean, work on TNBT).