WordPress is often seen as a security hole due to the common reports of security issues in and around the software. Indeed, historically, not all design decisions were perfect w.r.t. security, however, as one of the most popular CMS, it is bound to be a primary target for security researchers. Moreover, many issues nowadays do not reside in WordPress itself but out-of-date plugins or are simply due to out-of-date installations. Luckily, much effort has been made to make it as easy as possible to combat both of these weaknesses in the recent years.
Transitioning to a different CMS with comparable complexity will unlikely result in a security benefit per-se, as long as there’s no proper patch policy.
WordPress also features an auto-update mechanism for themes and plugins and since version 5.5, auto-updates can be configured per-theme and per-plugin. Do note that vulnerabilities in themes aren’t uncommon and a compromised theme can lead to full overtaking of the WordPress installation.
Often incompatible plugins are mentioned as a reason for disabling auto-updates for the WordPress installation proper. As far as security goes, this leads to ever more aging installations in our experience with nobody feeling responsible anymore to touch the system. Unfortunately the only way around that is to reduce the features of the Website if possible and thus use least plugins/themes (generally advisable) and/or to pay for the maintenance of plugins/themes by a third party (through a rigid SLA) or in-house.
It is advisable to, if possible, subscribe to best practices in regards to the configurative measures, including:
In addition, the host operating system needs to be kept up-to-date. A very good guide provided by Automattic themselves can be found here:
https://developer.wordpress.org/advanced-administration/security/hardening/