The reality is that users do not update addons. So the admin has to do it, which is a pain and good luck with getting paid!
Again that’s not the fault of Wordpress as a platform.
Yes, the core of wordpress is pretty secure (though way too slow).
That’s subjective
But that's like saying that guns don't kill people: the bullets that users put in them are the problem.
Actually what you’re describing is guns don’t kill it’s the person pulling the trigger.
My point remains, whatever your issues with Wordpress are, to say it shouldn’t be as it’s just not safe is wrong.