More like the vulnerable side.

WordPress used to be quite vulnerable a few years ago, but nowadays not so much, just avoid less popular plugins and you should be ok. Of course since it's the most widely used cms's out there, its a prime target for hackers. But the "WordPress is vulnerable" thing is much of a meme in the current day.

You've got to be kidding.

https://wpvulndb.com/

Six security vulnerabilities in core WP just last month.

It's still a mess, and every plugin gives it a bigger attack surface.

Any software has vulnerabilities. You have to keep the operating system on any server patched and set up basic defenses even for a static site.

Well, there are more and less vulnerable things.

For example, making sure that software cannot modify itself will ensure that even if server is vulnerable, it won’t get permanently compromised. Having a server that does not execute any file with right extension makes sure that sanitization errors do not lead to code execution. Having admin system be separate from main site makes sure XSS cannot cause compromises.

with a default wp install - you are right, however it's trivial to add a couple of security plugins and turn on auto-update.

adding the "ipgeoblock plugin" wipes out most attacks straight away.

with some of my wp sites that got attacked a lot on a regular basis, I use a 'static html generator' plugin - and delete all the wp php files -

no way to login, add comments or hack the wp core or plugins or themes, since they are not in use when you convert it all the static html.

On wp sites where I actually add content with regularity, I don't delete the wp files, and just use shield, sucuri, ipgeoblock, plugin things like that depending on threat.