The problem's normally not Wordpress itself (when kept updated), it's the trash fire of plugins that float around it, leaving all sorts of security issues in their wake.
if you actively encourage and enable an ecosystem, you have some kind of responsibility. maybe less that the person who installed it, but the whole WP thing is for non-technical people. it’s still ethically questionable and shameful