Once software gets to a certain size, nobody understands all of it. Therefore, all well known programs are broken, though the adage is more normally stated as "all non-trivial software is broken".
The advantage of Wordpress, Drupal etc, over closed formats is the former will tell you something is broken, and the latter will fix it silently without ever telling you at all, giving you no notice that you might have been compromised, leaving your vulnerable for years after something has been fixed.
Most problems are in addons, because they have less peer review. Installing addons is bad even if the code is good, because every line of code you ever add increases your attack vector. Think of it like firing a crossbow at a target, and every line of code is an extra ring around the bullseye. That's not to say don't use addons, just don't install random crap that sounds sort of interesting - just install stuff you need.
As a recommendation? None. I don't like any blogging software. I went through every different project I could find, and they were all crap, so I wrote my own instead. I won't even recommend mine because that's broken too - it's just broken in ways I understand (and also requires the installation of an entire framework that you can't install without a VPS).