When we talk to people during their initial telephone consultation, we find ourselves frequently asking "is this a Wordpress site?" or "is this built with Wordpress?" and in the majority of cases we guessed correctly.
Wordpress itself is a perfectly capable and secure platform, but the plugins available vary wildly in their quality. Combine this with a site owner that doesn't religiously upgrade the site, it's plugin, and it's theme (frequently forgotten) and uses naive passwords, you have an ecosystem ripe for attack.