Your statement is patently false in two spots: One, WordPress is not a "comically high percentage" of exploited sites (presumably vs other CMS'?) - I challenge you to prove that (besides the problem of defining 'comically' for these purposes).
Two, WordPress is trivial to update, both for the core software, as well as for plugins. It's literally a two-click process to update with a constant reminder in the UI that updates are available.
I've built and manage dozens of WordPress sites at all levels, and in the few encounters I've had with compromised sites, 100% of the time it is because the end user has been willfully lazy about clicking the update button in the software.
Two, WordPress is trivial to update, both for the core software, as well as for plugins. It's literally a two-click process to update with a constant reminder in the UI that updates are available.
I've built and manage dozens of WordPress sites at all levels, and in the few encounters I've had with compromised sites, 100% of the time it is because the end user has been willfully lazy about clicking the update button in the software.
Security is about people.