The constant hacks are side effect of Wordpress popularity. Every discovered security flaw is exploited by bots almost immediately. Unless you keep up with the updates you are very vulnerable.
It is not because wordpress is built on "legacy" stack. Other CMSes on that stack (and many are very popular) don't have this problem.
The popularity helps, but it’s also because WordPress’s security model is distilled insanity. PHP makes this insanity far easier than most languages, and WordPress embraces that, whereas the likes of Drupal rebuff it.
I think the security issue is that people trust random plugins without reviewing them.
I’ve been running WP with small and large companies and no big security issues. You either build your own plugins or go with the trusted few you need to augment your operation.
Same. I've been working with and managing thousands of WP sites for over a decade and the only issues I've had have been with sites acquired from 3rd parties with random themes and plugins (and old WP versions) that break if you update something. Those have gotten hacked and have caused many headaches.
Basically no issues with sites built in-house. As you say, only reputable 3rd party plugins (like for SEO, caching, multilang) most others made in-house.
This is the way. WordPress's is so popular because you can get it to do or be anything. I have done some terrible terrible things to WordPress. Need a simple blog? No problem! Want a LMS? Sure why not! e-commerce? Go for it! CRM? Absolutely! Etc etc.
But there are many many "WordPress" developers out there that only know how to glue plugins together, so you often end up with plugin soup.
In the hands of someone who actually knows how to code you don't have any issues.
