WordPress as a CMS is fine, but 90% of websites (e.g. the bit that lands in your browser) don't need the complexity of runtime generation and pointlessly run an application with a huge attack surface that's relatively easy to compromise. If sites used WordPress as a backend tool with a static site generator to bake the content there'd be far fewer compromised websites.
WordPress's popularity is mostly adding a huge amount of complexity, runtime cost, and security risk for every visitor for the only benefit of a content manager being able to add a page more easily or to configure a form without needing a developer. That is optimizing the least important part of the system.
WordPress's popularity is mostly adding a huge amount of complexity, runtime cost, and security risk for every visitor for the only benefit of a content manager being able to add a page more easily or to configure a form without needing a developer. That is optimizing the least important part of the system.