Some of the work I do has been in helping people learn to use WP and helping them correct some basic settings that can cause issues. I haven't been inside more than a few dozen WP installs that I did not do, but some of the stuff you find inside shows that uninformed users create many security problems for themselves, just because they don't know better. A username of admin with login of login123 is so obvious a place to start, but if you don't know any better, that looks just fine to you. The most recent WP update 3.7 addresses this one issue in a way that should help even the newbiest. If they ever update to 3.7, that is.
My point is that a good number of WP security issues are not due to WP, but user inflicted problems. They made it simple to use and people, some who don't even know how to create and save a .txt file, are using it.
I have never had a security problem with a properly installed WordPress Site. I believe it is a popular target because it is widely used, and often enough by unsophisticated users. I see hundreds of wp-login.php hacking attempts per month on plain old html sites, enough to see it as an automated shotgun approach that must sometimes work.