WordPress reduced critical vulnerabilities to the low level of 4 percent, something Qualys puts down to that application’s easy, reliable updating design, while the latest version of phpBB, version 3.x, showed zero percent vulnerabilities.
The study was of over a million websites, and other software packages didn't fare as well. There's a list at that article, but Joomla was near the top of it at 91 percent of the installations being insecure. Drupal, another popular CMS, had vulnerabilities in 69 percent of the installations.
The article cites the easy one-click update option for Wordpress as being a main factor; I've found that with my customers as well. Having to download an update, extract it to disk, then FTP the files to the server, as needed with Joomla and Drupal, is too complex for many web hosts. I think phpBB also has a "one click" update option.