[rectang]

The core WordPress codebase has been polished until it's sorta OK. It's got some quirks, but many of the obvious problems have been patched over the years.

The plugin marketplace, on the other hand, is a disaster area. Plugins are marketed to non-software people who don't understand security and don't know how to evaluate products for it, even though they might care in the abstract. The result is that the typical WordPress installation is a festering mess of insecure plugins, and sites get hacked all the time.