Thanks einsteinsboi - I've played with ModX and liked it, but have never really used it. I didn't realize it had that built in.
It's one of those CMS I'm always thinking I should check out again. Last I looked, it was still in a pre-version 1.0 and was missing some stuff I really wanted, but that was at least a couple of years ago.
>>Drupal is out for security reasons
I let this slide before because I don't want to sound like a shill for Drupal. There are many reasons to avoid Drupal (*complexity* being number one and usability being another). I see Drupal as being more secure than most other options.
One thing to keep in mind with Drupal: since they take security very seriously, they report all known exploits including exploits in all modules, including any third-party modules. That makes it look like there are a high number of alerts, which there are, but that's because they report and monitor things that nobody else does. Wordpress certainly doesn't. You could have an insecure plugin installed for years and have no idea.
Also, you can sign up for their security mailing list, which means you get notified of exploits by email. Again, if WP has such a mailing list, they don't push you to join it like Drupal does.
As for the alerts, 90% of these are for third party modules that I never have and never will use, especially ones that allow complex users to create their own complex relations.
Many of the alerts for modules I do use only apply if you are doing things like giving anonymous users advanced permissions. So in most of the cases where there are known exploits to modules I actually use, my sites are still not subject to the risk in the exploit.
Finally, many of the alerts are zero-day exploits. Because the Drupal community is large and has its roots in a programmer/hacker tradition (in the whitehat sense of hacker), many of the security exploits are patched before they get used in the wild.
In terms of maintenance, it would be nice if Drupal had auto-upgrade capabilities like WP, but one thing I like about Drupal is that you can go to the Available Updates report and it tells you whether or not there is an update to any particular component, and whether or not that update is security related (highlighted in bright pink).
So when you're pressed for time, you can focus just on those updates. Again, you can't say the same of the Wordpress Plugins page or the update notification - it just says update, but doesn't give any indication of whether or not failing to update poses some risk to your site.