Popularity > less dev more results, consistency, ease of use and time-to-deliver
Wordpress 6.3 M sitesJoomla 1.7 M sitesDrupal 400k sites
Organizations choose to outsource code knowingly or unknowinglyUsing 3rd party code means faster development lifecycle, sometimes more matureNOT more secure
The threat landscape is rich and full of different vulnerabilitiesCMSs and their plugins are like petri dishes for vulnerabilities