[_mpf]

I agree with "Security is a process, not a product." AFAIK security is important for WordPress team. There is a lot of good documentation on a project site and there are some materials from WordCamps (fe. http://codex.wordpress.org/Hardening_WordPress)

Latest WP "hack" via botnets was because of weak logins and passwords which are set by the users. Can you blame WP devs for that?

Speaking about upgrading; making updates easier it`s also one of the goals of the project. Also it isn`t that hard when you develop WP sites using information from WordPress Codex docs.

I hope it will get better with time, and as i wrote people are working to get things better. Sorry to hear that you are not going to recommend WordPress any longer.