ergophobe - 9:42 pm on Sep 27, 2011 (gmt 0)

That said, Drupal *does* classify updates as security updates or not, and in the case of security updates, they tell you what the exploit is. Quite often in the case of Drupal, the exploit requires the user to have admin privileges for a particular module, which means that if you are the only one who has such privileges, you can choose not to update that module even though there is a security update for it.

I find this means I can track security alerts and releases and make an informed decision about whether or not a site needs to be updated or, as is often the case, the update concerns only a few bugs in features I don't use anyway.

I'd love to see WP adopt an approach like this, but I think it's still true that WP is to Drupal as Mac is to Linux. WP likes to hide the magic behind the curtain; Drupal makes you look at the naked wizard whether you want to or not.