[RobGR]

I'm a great promoter of Drupal, including in those cases where it competes with WordPress. However in all honesty I can't really play the security card against WP. I think WP itself meets generally accepted security standards; the 3d party code loaded into it sometimes does not, but that's the same case with any framework that allows modules.

WP probably gets a bit of a bad rap because the types of sites made with it often don't have the budget to bring high quality development. When you serve 20% of the web, and people choose you precisely because they can get cheap developers, there will be some problem sites out there running WP.

In this particular case, it seems to me that they would have been flagged if they had been running anything, Drupal or Jekyll or a static site - they had an external theme provider who referred to a domain in CSS comments that was listed by google.

The problem seems to be the accuracy of Google's flagging, not WordPress.