I think the real problem is that Wordpress appeals to a lot of casual users who are understandably not security experts and the default settings are not secure. Getting a Wordpress server started and working isn't too hard but actually setting one up correctly is almost a full-time job.