Plugins. The plugins are a never ending stream of XSS, SQLi, and other vulnerabilities. I used to intern on a web security team at Mozilla that hunted down these kinds of things and the entire experience revealed how easy it was to compromise your entire site because of a single plugin. During my six months there, I think I discovered 30+ plugins with issues. Most developers were responsive but some ignored us and the issues were never fixed.

I've personally never used Wordpress, but when I look at my server logs, there are always loads of requests from bots trying to attack Wordpress vulnerabilities in particular.

Event without plugins, when your self host your wordpress you'd have to keep up with the updates.

Only having to send a bunch of static files makes it really easy.

I haven't looked at Wordpress in years, but it used to have a terrible reputation when it came to security. Hopefully they've improved.