Is Bitrix a completely patched system without any vulnerabilities? Ridiculously simple. The only thing is that all expenses for CMS support should be borne by the manufacturing company of this CMS (it's not for nothing that it costs so much money).
Drupal - only from the point of view of architecture I like it more. But again, both Drupal and Bitrix need to be patched for a long time with a file.
Alas, a detailed comparison of the pros and cons cannot be provided - the specifics of the project require a different approach to development. Somewhere some feature of Drupal will be a plus, and somewhere it will be a minus. The same applies to Bitrix.

Regarding security, look here:
drupal.org/security
In 2011 - three detected security problems, in 2010 - two.
By the way, I advise you to read the patch notes for these “holes”, if these are the worst security problems found in Drupal, then it can generally be considered a reference system;)
In general, there is no proof for the “huge number of holes” that experts from the White House , Ubuntu and Mozilla are patching up - you can’t talk about problems.

Maybe the boss will first list a huge number of holes and refer to authoritative sources?

For Drupal, you will also have to write a bunch of modules, components, etc.
Bitrix is ​​a pretty good system, in my opinion. At least when I was working on the development of the
www.komandirovka.ru/ portal , I was satisfied. Perhaps I was just lucky to get into a team with good programmers with extensive experience in developing for Bitrix, so I did not see any special problems and crutches.
But I really liked "Infoblocks 2.0" - a fairly powerful and at the same time a simple tool for working with information, in particular, on a business trip, I personally made modules for photo galleries and souvenirs using infoblocks. It’s convenient that you don’t need to worry about the admin panel - when using infoblocks, Bitrix does almost all the work on the admin panel for the programmer.
In general, on this issue, it seems to me that the need to move to Drupal is somewhat far-fetched. It is better to work with the tool that your developers know well, and if I were in the position of the boss, I would refuse Drupal not because there are a lot of holes in it, but because training developers who have experience with Bitrix is ​​a waste of time with an unknown economic effect.
Those. in your case, you don’t need to give him articles and reviews like “Drupal is a good system, but Bitrix is ​​bad”, but rather provide him with specific numbers, for example:
- Bitrix costs 100,000 rubles, Drupal is free
- in the case of Bitrix, we will be able to start working immediately, with Drupal - after 2 weeks of training developers (s / n of one developer per month, let's assume 100,000, 2 weeks - 50 thousand, multiply by the number of developers)
- on Drupal we will be able to develop this the project is one and a half times faster than on Bitrix, so we will save, for example, a month of work for the development team, multiply by the salary and the number of developers.
Then we make money (assume that we have 3 programmers)
100,000 savings on Bitrix, 300,000 savings per month of development, 150,000 training costs. In total, this project can be implemented 2 weeks earlier and with a saving of 250,000 rubles.
Switching to Drupal in this light looks like a better solution than using Bitrix.
If you are not sure that switching to Drupal will bring a real effect, then it is better IMHO to continue developing on Bitrix and improve your knowledge of Bitrix so that “Bitrix cannot support all the tasks required from the portal without writing its modules, components” - was not a problem.
Because it is unlikely that Drupal will have all the necessary modules and components :) And if they are already 100% there and do not require modifications, then there is no problem, I have already described above how to argue this to the authorities.

>The answer is simple - they are constantly engaged in "patching" such holes, and we cannot afford such support.
So that's a big plus! They do and send upstream patches that you download. “ubunta, MTV, playboy, the white house website, mozilla, twitter, ... there is a very long list here.” — and you can't afford SUCH support? Do you want to correct your mistakes and get paid extra money? :)

Lamer comparison with Bitrix

I do not share positions regarding the advantage of Drupal over Bitrix.
Recently there was a post on Habré
It turns out that Drupal is still unpromising.

Holes are often found on Drupal, which is actually a big plus. who says that very strong professionals are engaged in Drupal and are constantly sorting out its code. Moreover, experts from all over the world.
And the fact that Drupal is a safe system is evidenced by the fact that large companies are interested in Drupal: Ubuntu, MTV, Playboy, the White House website, Mozilla, Twitter, ... there is a very long list. Also note that all these mega-large structures had a website on some other CMS before Drupal, but still swelled a lot of money to switch to Drupal.
Pluses that I see:
1. A secure system with a constantly updated kernel, which eliminates even small theoretical holes. On the other hand, frequent updates indicate that the product is not dead :)
2. Very thoughtful and logical API
3. Upward extensibility has no limit
4. The core and code are built so that you CANNOT hack the core and at the same time you can make any change on the site from functionality to theme
5. The theme system is extremely flexible
6. Clearly separated: logic and design
7. Lots of support. both in the CIS and abroad, all over the world
8. There are also customers all over the world

What modules are needed in the portal? Give a link to your working portal to estimate the implementation possibilities.

habrahabr.ru/blogs/drupal/128208/

Link to the topic about Drupal security and "leaky".
safesearch.ya.ru/replies.xml?item_no=120
It's just not there