Given how extensible something like wordpress is, and how popular it is, it's an inevitable target for hacking. Outside the top few CMS I imagine the rest aren't worth spending time on to exploit.
I'd agree that it being open source and transparent is definitely a good thing, and security seemingly is more of a WP issue purely because we hear about it more. I'd rather use code that's been scrutinised by both hackers and those who secure code rather than being blissfully unaware.
I've seen a number of exploits lately regarding a commercial and quite popular billing/account management package. They were simple SQL injections with grave outcomes (delete all data/take all customer data kind of thing)- things that simply wouldn't happen if the codebase of something this popular was open for public scrutiny.