I like PHP.

Right, yes, I know, that makes me crazy, but modern PHP is a fine language. HHVM, Hack, Composer, Packagist, the PSR standards: all of that comes together for a nice development workflow. PHP's shared-nothing architecture by default makes horizontal scaling an exercise in simplicity.

But: I don't like WordPress. Yes, it can autoupdate -- and that's certainly better than how things were prior, however WordPress' core code is horrendous. There's a reason why security issues are consistently found.

The bigger issue is the sorry state of most plugins; the bulk of vulnerabilities that end in compromise of WordPress sites are not from the core itself, but the plugins. An autoupdater for those certainly exists, but it doesn't help you if the people writing the plugins to begin with have no clue how to write not-insecure software.

These days, I avoid WordPress like the plague. When I do have to work with it, I've dragged it kicking and screaming into 2015: It lives in a Docker container, is fully 12-factor, completely managed through Composer (including Wordpress' core itself) and all code that I write for it is proper unit tested, PSR-4 autoloaded namespaced classes; this allows me to avoid crappily written plugins and rely on battle-tested libraries instead.

If and when it gets compromised, I can restore the Docker image within seconds, or lock it down as straight HTML by exporting it as a static site temporarily. WordPress can be decent if forced to be, but it's a lot of work and I'd much rather use something that doesn't have so much cruft clogging it up.

I mean heck; you still can't run the latest version of WP on anything other than MySQL, despite technically having a DBAL. Absolutely crazy, considering we have Doctrine or Propel!