It's not really that hard to run Wordpress securely enough to deal with the sorts of automated attacks that target Wordpress sites.
As I understand it, the danger in custom code is not just that it will be architected insecurely, but that simple oversight can create a vulnerability that won't be found until it is too late. If only one site is running your code, then that site will go down if a vulnerability is found.
One advantage of running Wordpress is that Automattic is leveraging a network of millions of honeypots (the other bozos running Wordpress) to find new vulnerabilities fast. You have keep on top of the patches though.
As I understand it, the danger in custom code is not just that it will be architected insecurely, but that simple oversight can create a vulnerability that won't be found until it is too late. If only one site is running your code, then that site will go down if a vulnerability is found.
One advantage of running Wordpress is that Automattic is leveraging a network of millions of honeypots (the other bozos running Wordpress) to find new vulnerabilities fast. You have keep on top of the patches though.