First, I assume this is for the same reason that most viruses are for Windows -- WordPress is one of the most common species in the ecosystem.
Also, If I understand the architecture of Movable Type correctly, it renders much of the site into static pages. I would expect that this tends to reduce the number of points where vulnerabilities would be possible, at least as far as points where it might be exploited via causing it to execute with malicious parameters via an HTTP request. i.e. In Wordpress, every page you load is the result of the execution of some PHP scripts, while in a blog that is rendered to a bunch of static files, it's conceivable that the only thing that unauthenticated users can mess with is the comment system.
Also, If I understand the architecture of Movable Type correctly, it renders much of the site into static pages. I would expect that this tends to reduce the number of points where vulnerabilities would be possible, at least as far as points where it might be exploited via causing it to execute with malicious parameters via an HTTP request. i.e. In Wordpress, every page you load is the result of the execution of some PHP scripts, while in a blog that is rendered to a bunch of static files, it's conceivable that the only thing that unauthenticated users can mess with is the comment system.