This article on ZDNet makes some great points … namely that WordPress’ very ease-of-use is why it’s a security threat:
WordPress’ big selling point is ease of use. That means it has massive appeal right at the bottom end of the market.
Down at this level, even in 2013, websites are usually little more than static brochureware that gets updated rarely, if at all. With nothing to change, the sites’ owners don’t log into WordPress, so they don’t see the software upgrade notices. Or if they do, they don’t know what they mean.
This is where businesses are reluctant to spend even a thousand dollars on a site, so asking them to fork over more money for “maintenance” is a waste of time — what visible difference does it make?
Besides, they’ll say, they have someone who “takes care of” their website.
That someone is generally a “web designer”, not a developer. WordPress has been a boon for them. Its multitudinous free or cheap themes and plugins make it possible to build a decent website with plenty of functionality without having to dirty their hands with actual code. Or dirty their minds understanding it.
Forgive me, for I’m about to commit the sin of extrapolating from personal experience, but in nearly two decades, I have yet to encounter a “web designer” with halfway-decent security practices — by which I mean creating a different login for every human rather than a generic “admin” account, creating strong passwords, not reusing passwords, deleting unused accounts, and not blithely emailing a business’ master internet hosting password to any sub-contractor who might need momentary access.
Indeed, many of those I’ve encountered have deliberately set the WordPress admin password (or its equivalent in pre-WordPress days) to be exactly the same as their client’s hosting account master password, their domain registry password, the login on their PC, and everything else in sight to “make it easier” — because that gets rid of those annoying “I’ve lost my password” support calls.
WordPress is now the tool of choice for these people, and they’ve built millions of WordPress websites.