Yeah in this day and age there is no purpose to have the xmlrpc.php online anyway. Delete/rename it. It's only used for trackbacks/pings which are 99% spam.

Like many, our wordpress installs are too hacked up to be upgraded unfortunately. I've got to go research these bugs and patch manually somehow.

WordPress is starting to earn a very poor reputation with regards to security. There are repeated errors of this kind, one issue in particular is that, as you can (and must) use PHP directly in the themes, there can be security issues from a whole swathe of third-party code which is not ever audited by the WordPress team. The "unescaped attribute in default theme" as mentioned above is a serious enough problem in itself, but you're not necessarily any less vulnerable if you aren't using the default theme, as your custom theme may well have been based on that original code.

So you have the unfortunate situation that you don't know, and most likely can't easily evaluate, the quality and the security of the code in your chosen theme, and WordPress aren't going to help you.

The phpBB project lost years of development time when repeated security errors forced them to do a complete security audit of their entire codebase. WordPress may need to go down that path too, and slow or stop development until their existing code is up to scratch. Otherwise, confidence in their product is going to be seriously undermined.