@ Trevor Pott:
Nice theory about the benefits of a mature ecosystem and plugins and all, but that's not the reality of WP. The core CMS is a bloated rat's nest full of bugs and dodgy practices (soft-fail, functions that second-guess their arguments, etc). The plugin/theme interface is "everything is global, you can do whatever you want, but please use our poorly documented monkey patching hooks". It doesn't matter how secure WP core is - any plugin can undermine it. Even the official WP repository is full of shoddy plugins. Few users possess the knowledge (or time) to choose wisely.
Most WP sites I've seen have so much custom code that they might as well be written from scratch. When you have to copy-and-modify half of the login/signup code to make the client happy, it makes you wonder if you're really gaining anything from a ready-made CMS.
If the #1 CMS did just the few things WP does well, built on a solid architectural foundation, then you'd have a point.
WP's handling of this vuln/update is another red flag. First, they downplayed the severity in their update notice, saying a "contributor or author" could "compromise" a site, versus the apparent reality of total ownage by random commenters. Second, the update broke a bunch of sites & plugins; people are screaming about it on WP forums, questioning the wisdom of auto-update.
"Static" sites just keep looking more and more attractive...