You've nailed it. Years ago I was advised that when it comes to software follow the pack because there are a great number of users and problems are more quickly discovered. When a issue does surface there are more people to resolve the problem.
When a 12-year-old Canadian boy can break into secure U.S. government computers arguing about WordPress' security seems silly. If someone is worried about being hacked then I'd suggest using the WordFence plugin.
Of course anyone who doesn't backup their database is living in la-la land and needs to install DBmanager, which will send regular backups of their database.
Going the extra mile to backup your entire WordPress site is simple enough with Backup Buddy. It's also makes moving an entire site from one server to another a breeze.