Now almost all cms except for highly specialized ones (photos, online stores, for example) have a very similar set of plugins in terms of functionality, so the choice, as usual, is to write technical specifications, install the latest versions of popular CMS, look through their galleries for plugins for the desired functionality (authorization, photo galleries, forums, etc.) and form an opinion for yourself and the customer.
I have a personal website for many years on WordPress, it has never been hacked. What I like is that during installation, the admin login can already be entered by the user himself, respectively, it has become even more difficult to sort through and hack cms (the login can be hidden by displaying the username) and you can rewrite until the release of the 10th iPhone of the second coming.
Plus, it should be borne in mind that half of the popular cms, if not more, can already run quite normally not only on LAMP, but also on the Windows + IIS platform.

If you own erlang, look towards Zotonic CMS. For hacking, you need to have very highly specialized knowledge. Knowing the language, you can bring extensibility to infinity. Development is very similar to Django. True, the entry threshold is quite high - many things will have to be smoked for a long time and hard, but after that comes paradise. The speed of work is very high. And yes, it's completely free.

If you are familiar with C# and ASP.Net MVC technology, then you can try KooBoo CMS. True, there are almost no ready-made plugins for it, but I like it because you can program it directly from the administrative interface on the site (i.e. write C # code directly in views - view). PS: for small volumes, it does not require a database and works with XML as a data source.