web2py let arbitrary code be called by the client, and its failsafes were full of holes. So it fell out of favour.

That's just nonsense - source?

Handful of open CVEs in Debian. [0]

The brute-forceable admin happened around the time web2py and Django devs started having a few arguments online, like this one [1], which didn't exactly paint web2py in a good light.

[0] https://security-tracker.debian.org/tracker/source-package/w...

[1] https://www.quora.com/Is-web2py-a-good-Python-web-framework