The wordpress core can be kept up to date but the vulnerabilities from plugins, relying on fixes and updating plugins i think was more the problem than the core.
In the 2010s if you left a wordpress blog unattended even with the official default filter plugin it would fill with spam comments. I dont know if thats still a problem.
My own blog - which gets maybe a couple of posts a year these days, and almost no audience - had 59 spam comments so far today. It really is time I turned off comments.
In the 2010s if you left a wordpress blog unattended even with the official default filter plugin it would fill with spam comments. I dont know if thats still a problem.