I've had Wordpress cracked thrice under my watch by automated exploits. That's why I pay Sucuri $400/yr, simply to tell me when it's happened.
The first one used an admin flaw to edit articles directly. The latest used the theme upload capability to write themselves into every theme in the system. (Partly my fault for leaving that directory as writeable by the server). I don't recall what the 2nd one did.
Wordpress bundles security patches and bugfixes with the releases. You can't have them separately.
If you need a fix or security update the basic mechanism is "fuck you, upgrade".
Otherwise I wouldn't have upgraded for the past dozen versions or so.
Basically I have to split the risk between security improvements and data loss.
As you can imagine ... I am not a fan of Wordpress.
There's a well documented and fairly complete export format, and there's even a gem to allow direct import from MySQL -> Jekyll. There are many other blogging services and/or platforms yu could use.
Really don't understand people like you, hating the platform they're on when they have complete freedom to move.
Some of us are stuck due to management decisons (Drupal, for me, currently) - we've had a huge push to switch to Rails, but no go, our network hasen't given official ATO. (Military/DOD)