The fact that other platforms and applications are insecure isn't relevant; we're comparing static sites to WordPress.

However, to answer the point, static sites are significantly more secure than every single dynamic platform that supports a plugin architecture because plugins can be, and often are, written without security in mind.

Unless you really need a dynamic website you should be deploying static assets to the enduser. Practically every business website would be better off being delivered as a static site, even if the admin still use WordPress to edit the content.