>Delivering an app or site based on Drupal, WordPress, Rails, etc. as a finished product to a client that does not have sufficient in-house IT staff -- you can almost guarantee they're going to run into security trouble. And what is required for 'sufficient in-house IT staff' is way more than we thought a few years ago -- even if not everyone has realized it yet (those who have not will get burned).
And that for 99% of the cases (unless they process credit cards and transactions), it won't matter much, if at all.
Well, it matters to the customer if their WordPress site goes down because it was infected by malware that sends out spam or makes clicks on Google Adwords.
This happened with someone I was working with, to try and rescue their WordPress.
Ironically, the site went down only because the malware that I'm guessing was scraping Google or making clicks on google adwords or something (I just skimmed the malicious code, it wasn't entirely clear to me what it did) -- had a bug in it that brought down their site. If it had been bug free, it could have kept using their site for it's malicious purposes for years without them ever noticing.
And that for 99% of the cases (unless they process credit cards and transactions), it won't matter much, if at all.