WordPress is secure enough that whitehouse.gov runs on it and zero-day vendors pay $100,000+ if you have an exploit for the core WordPress software. It's not "magically secure" though -- you wouldn't say that AWS is insecure because some people set it up wrong or use bad integrations.
I'm curious, do you have any information on how much whitehouse.gov spends on cybersecurity testing and customization? I imagine it's considerably more than the $100,000 you mentioned for a WordPress exploit. I work in this space and have experience with offensive security tests, including on Amazon itself.
