Re: "The Coder module [..] does not need to be enabled in order to be exploitable"
@Aodhhan - All fair points, but ones which apply to any CMS to my knowledge. WP's popularity does make it a huge target; but it's popularity also means more eyes on and more people with an investment in it being secure, so it's not all downside.
You use the fewest plugins possible, and the ones you do use should be regularly maintained; but again that's universal...same applies to Drupal modules and whatever they call add-ons for Joomla (it's been a while) etc.
But it all depends upon use. If you want to protect important info from state-level players, you'd be insane to use any CMS. If you want an installation where a relatively low-tech owner can maintain it and change bits, then WP is ideal; and ease of applying whatever updates are available are a big plus there. You can even tell the site to keep itself updated in the event of exceptionally clueless/lazy owners, and you can't do that with Drupal.