Having used Wordpress for the last 6+ months with my current client
I can safely say I am SO glad I use Concrete5 for my own projects.
WP is hideous and has so little out-of-the-box get-stuff-done functionality with any plugins you may want to install having never been code-reviewed or security-checked by anyone other than the person (and their commensurate skills) that coded it. God forbid you ever want to move it onto another server as its own import/export stuff cannot be relied upon so you even need a third party plugin to achieve that (which I'm spending today evaluating), unless you really like having to go through the database to do string replaces where it's written its damned site domain into data.
I'm utterly unsurprised it's a popular attack vector and would never ever dare recommend a client used it for anything.