Everything that a person has done can be broken by another person.
Selfies are no more secure, but they are not hacked in bulk, only if you need to specifically hack it

You can hack everything....
Even if there are a lot of holes in WordPress, no one will touch your shabby blog...
And big projects don't use it...

like a hole

Quite safe

Everything depends on the goals. As I understand the ultimate goal: to create a website that will be useful to the owner.
How much is a potential owner willing to pay for it? If he's willing to shell out: write on anything that can provide the level of security you need. If he intends to pay the minimum - do it on WordPress. And immediately take care to set up all the items required to ensure peace of mind.
The vast majority of WordPress sites are hacked automatically due to the admin login and a weak password, by brute force. Mostly beginners and those who installed stolen theme templates come across.
The news described in the news you cited applies only to sites where one of the most basic ones has not been done:
the XML-RPC protocol is not closed. This can be done without plugins, in .htaccess
I believe that there are 4 main things that must be done immediately after installation: change the admin login, set a strong secure password, close the XML-RPC protocol. Also change the slug that points through the author's page to his login.
The full list of security measures for a website on wordpress is more:
https://8alfa.com/bezopasnost-sajta-wordpress-zash...
This is as time goes by. And this list can still be expanded. In terms of security, paranoia does not hurt :-)