We understand that the development and support of 1c bitrix will be many times more expensive

not a fact, it depends on the project, if all the technical specifications fit into the functionality out of the box, then it’s cheaper and more correct to take 1c bitrix.
This primarily depends on the crooked hands of the developer. Again, if a developer with obviously crooked hands - cms is safer than framework.
Applicable to any software.
P.S. Never choose an instrument without knowing what you will be doing. There is no answer to your questions until there is a clear TOR. There is what you need out of the box in some cms - take cms. A lot of unique functionality, the development of the project is planned - take the framework. Wrote an essay on the topic: https://vk.com/@framework_yii-or-cms Every technology is made for something. You cannot compare bitrix and yii, js and php. They perform certain functions well. Understanding what exactly needs to be done, you can choose the best tool for this.
P.S. to PS: I really didn’t expect that I would defend 1s, in this context - this is objective.

IMHO, Bitrix is ​​the worst of all that you can choose from. And I'm not just talking about security.
If we are talking about a high degree of site security, then the question is not about choosing a framework and relying on its internal mechanisms, but about choosing a specialist who can implement this.

It seems to me that no one will make the application safe for you. Therefore, any platform + straight arms and a sober head.
Although of these two options, I would choose Yii2.

On an active Bitrix license, subject to green quality monitoring tests and with regular updates - the developer is not actually responsible for security - in the 1C-Bitrix response. And when developing on yii, the answer is always the developer.