He's complaining about Wordpress and their vulnerabilities when he:
1. hadn't upgraded wordpress in months
2. hadn't performed any backups of his posts
It's hard to be sympathetic to him or TechCrunch. If they're going to use custom features like third-party plugins and specially designed pages, they should have developers on staff to actively work to make sure that their customizations will work after an upgrade. By not doing that they're begging to be attacked.
Whenever a security update is released it is utterly trivial to do a diff against the previous package and get a vector to exploitable vulnerabilities in the previous version (in many cases the changelogs themselves are a good hint). The default Wordpress headers also make it easy to quickly tell which version of WP a site is running and whether it's worth attacking.
I give Wordpress credit for the advances they've made in automating parts of the upgrade process - it's now one click from the dashboard and if you are a popular site there really is no excuse for running an out of date version.
However it's not enough. Wordpress need to move to minor/major versions where minor versions, that consist of security updates, are automatically updated to when detected by a blog. (Major updates that feature changes likely to break plugins should still require user input).
Yes, I admit frequent updates can be a nuisance, but when they are literally spoon feeding you the update process (less than 10 seconds and one click in most cases), its stupidity - really.
Drupal CMS less popular - more vulnerability.
It's an artifact of their development practices and code quality that requires such frequent updates, not a desire to provide regular small patch sets.
See tptacek's comment on their implementation quality: http://news.ycombinator.com/item?id=806910
You can also compare the quantity and severity of vulnerabilities against MediaWiki:
Why do there have to be frequent security updates in first place?
If they didn't manage to tighten up their very limited attack surface in 6 years then I'd say it's a lost cause.
For me the problem is not that they release frequent updates - I would have a problem if they didn't release frequent updates to known severe vulnerabilities. If you look at their release logs you will see that most of their security updates has 24-48 hours of turnaround from the time of the vulnerability detection.
The recent vulnerability that this blog and most others (ie, smashing magazine) got affected has been fixed 2 releases before the current release. People who are affected didn't update for the last 3 release and someone developed a script out there that automatically scans for that vuln. and takes advantage of it.
From a security standpoint Wordpress is a trivial application because it's almost entirely read-only, except for the comments. Making a plugin-architecture bullet proof is a different story, but as I understand it most of these issues affect the very core, i.e. a vanilla wordpress install.
There is no excuse for their sorry state of affairs.
That list lumps in security vulnerabilities from over 4000 third-party plug-ins.
For me, I am subscribed to their blog so get notified by e-mail when there is an upgrade, from there it takes less than a minutes to login to my admin and upgrade. As a matter of fact, I did my last update from my iphone when I was on the road.
Instead of playing the "poor me" game, say it the way it is; you failed at keeping your wordpress install up to date and secure and you failed at having a backup.
Smashing magazine got compromised last week and came out straight and admitted their failure on keeping it safe by not upgrading.
This scoobie guy sounds a lot like arrington - no wonder they are best friends.
Which is, in itself, a fruitful source of potential security holes: To accomplish this feature, Wordpress has to have permission to overwrite its own executables.