If you haven't been keeping the WP back end up to date it's not functionality that's a problem it is security. Unpatched WordPress installs account for a huge portion of malware distribution. There's a number of exploits that allow attackers to upload files to your server. So they upload malicious payloads that exploits then download to infected systems.
Most of those exploits are from plugins. If they aren’t using those they can also change the default login url. Also Wordpress lets you export and reimport to current versions without coding. I think it’s one the best future proof platforms, most of the web still runs on it.
Many WordPress exploits are in plug-ins but there's still plenty in the base install (over multiple versions).
Also suggesting that "most of the web" runs on WordPress is a bit absurd. WordPress accounts for a huge portion of spam-y SEO blogs and other outright noise on the web. It's popular no doubt but definitely not most of the web.
It's popularity and porous security is a big problem as it's such a huge malware delivery vector. Everything from worm payloads to JavaScript crypto miners is served up from millions of exploited WordPress installs.
Oh man, don't I know it. I work for a small business whose long-neglected Wordpress site (nothing e-commerce-ey, almost no plugins, just a glorified billboard/contact-info type site for a non-tech company that no-one had updated in literally years) had been exploited in uncountable ways. It had probably been owned long before I was even hired a year ago. A few months ago it just broke, it was too riddled with problems to salvage.
I was able to convince the bosses to let me take on the fixing-the-site project solo, even though my job has little do with IT. I replaced it all with a static site generator I wrote in Go. No logins, no PHP, no database, nothing to exploit in the first place. Anyone in the office can update it by copying images into arbitrary subfolders in the generator's images folders, and double-clicking the update executable. It builds and uploads a fresh site in a couple of minutes with nice gallery carousels. And as a bonus it loads basically instantly on even the bargain-basement shared hosting we're on.
I do wish that IE compatibility wasn't one of the bosses' firm requirements, due to a lot of our clients not being tech people and still using IE on decade-old computers. Life would be so much simpler if I could just use CSS grids for layout. I f'ing love grids.
Wow, TIL that "36%" is most. Your own quote tells you that their measurements are only sites they scan and can determine the CMS used. As I said, WordPress is extremely popular in the SEO spam community and powers thousands of dead blogs, but it's a far cry from powering "most of the web".
None of that is material to the original point that thousands upon thousands of unpatched WordPress sites might work but also deliver tons of malware. WordPress' popularity is problematic because it has had a d will keep having serious security problems. WordPress exploits are entirely automated and performed constantly by zombie networks.
