Today it hit me. My string of arguments for and against <subject> reminded me of something and I couldn't really put a finger on what it was. And then it suddenly struck me: Wordpress is pretty much like Microsoft Windows.
It's easy to install but needs a lot of tweaking
That's the first thing those two pieces of software have in common. An agency will provide you with a Wordpress installation and claim that it has the biggest market-share, is supported with most hosters and is easy to maintain. That's a load of bullshit. The Wordpress core might be. A complete install of a Wordpress installation, as provided by an agency or freelancer, with all the plugins and extensions that a theme comes with is a whole different story.
Do you want to keep track of all the security upgrades for each and every single plugin the sites come with? I know I don't. And that's the same thing with Windows. People keep installing random software that they downloaded somewhere. They don't know what the software is doing or how it is maintained. They don't even have certainty that this software is what it claims to be - or that the source providing it is who they say they are. Now with Wordpress it's pretty much the same thing. People buy themes, install stuff, add extensions, tweak stuff around a bit and then they hope that this Frankenstein'd piece of a website will do its job properly.
If you want to not weld a Wordpress installation into something it is not (like a real CMS), you are going to have to keep track of every single component that you installed. You can't blame the Wordpress Core, because that thing is as secure as it gets and it has a software team behind it that keeps track of bugs and security holes. However, the Core will never provide a working site. You can of course build a site with the Core as a basis and extend Wordpress in a custom way so it actually fits your needs or gets tailored to it. But if you can do that, you might as well use a real CMS and not an overrated blogging platform.
Everybody uses it!
Sure. People are creatures of habit. If you hear a name often enough, that will give you the idea that something is commonly used - therefore good. In Germany we have a saying that literally translates to "Millions of flies eat shit" - pointing out the flaws of things that people commonly use, which doesn't mean that it's a good idea to do the same. Pick your dinner choice for yourself. Don't follow the flies.
People work their way through Wordpress and they have a hard time doing so. Which gets me to my next point.
It's easy to use and anybody can work with it
Again. Bullshit. I gave my parents a fully-fledged linux with everything set up the way it's supposed to. Nobody expects anybody to be able to install an operating system and maintain and upgrade it. However, a fully set up system should be easy to use and not do unexpected things all of the time.
When my parents were using Windows, I feel like I was having support calls about stuff that just 'broke' out of nowhere, some toolbars that my parents accidently installed, software they installed while unintentionally grabbing some malware along with it. Without admininstrative privileges, Windows is mostly useless to people. However, this also gives them the ability to break everything - therefore giving a supposed virus to do the same - with the exact same administrative privileges. I was sick of those support calls so I gave them something that isn't high maintenance. And today my parents have been using Linux for almost ten years and they don't want anything else ever again.
The problem with people is that they don't take a closer look on most things. Haven't heard of it - will not use it. People get the same sermon about Wordpress. In fact, it is neither easy to use, nor can it be maintained as easily. And it has the same problems like a Windows installation. There's an administrative role and a content editor role. One can do stuff, the other is useless. And using the admin account, the client can break everything and you can't do anything about it.
It's the most exploited system because it's the most commonly used
Again. Bullshit. Both are the most exploited systems because they are easy targets. More importantly, a windows client machine is absolutely not-interesting to most hackers/rooters/crackers, because it doesn't have a static internet connection and it can't run the code you inject 24/7. It's more interesting to gain control of a server that is connected to the internet via a Gigabit server park. Ironically, those machines mostly run on linux. Now why would you think that is?
Same with Wordpress installations. Professional websites aren't built in Wordpress. Period. Some companies do that and have a highly customized Wordpress installation (such as Sony Music and a few others). But those pages have a team of developers behind them, so they might as well have gotten a real CMS instead. Wordpress might be the most commonly used CMS, but this doesn't mean that the other systems are just as vulnerable. High-value targets run Typo3, MODX, Drupal, customized shop systems and other stuff. People are desperately looking to break into these systems instead.
Only problem is: Those systems are maintained way better and their architecture is built in a way that doesn't allow the simple exploits that work in Joomla or Wordpress if you don't put a lot of work into them to begin with.
To cut a long story short: If you're on a budget, go with something static first
Choose a static website over an integrated one first. A good development team can integrate your site into a good CMS and map each and every part of it to a management interface. Don't use a CMS that is full of security holes, just because some agency tells you it's easy to use and Sony Music uses it too. You're not getting the same thing as them. And don't buy the "easy to learn" pitch, just so they can sell you their management plan later on when you realize that you don't find that easy at all.
For both Windows and Wordpress goes: if you can avoid it, do. The Windows-users have taken the leap and they're using linux now on their phones (Android). And guess what: They're fine with it. Ever wonder why nobody uses Windows phones? I sure don't.
Hopefully the same thing will happen on the website market, as soon as the GDPR storm has blown over (and hopefully away a lot of the cheap and insecure sites that the internet has to offer at the moment)
Cheers.