This has been an interesting couple of weeks for Drupal, and that platform as a whole has received a lot of press. With the release of Drupal 7.32, a major (I use this term lightly) security vulnerability was corrected. Drupal then announced this week that, despite there being no significant evidence of a large number of sites attacked, any site that wasn't patched within a 7 hours of the patch release should consider itself compromised. Hosts were reporting automated attacks beginning only hours after the patch announcement. The vulnerability was unprecedented for the Drupal community, but really it shows why Drupal is great, and isn't a black mark on Drupal in our eyes.
First lets look at the announcement by the Drupal Security Team this week, where they say that sites were beginning to be attacked within hours of the patch announcement. The biggest thing to take from this announcement is the words Drupal Security Team. Yep, Drupal has one. I did a search this morning using the following criteria "<popular CMS> security team", and I found the results quite interesting. When I added Drupal as the "popular CMS" I got a page full of Drupal Security team information, policies and procedures. For every other CMS I tried, I got nothing about a team of security people, but a lot of information stating that they are secure and if you find a problem here is how to report it. Drupal focuses on security, and the Security Team at Drupal is a prime example of how important this really is to the Drupal community.
The second thing to take away from this is that the patch really notified the world that there was a vulnerability, and there is no way to stop this from happening. We didn't have any mass attacks on Drupal sites prior to this release, and the damage here after the release seems to be primarily related to those who chose not to apply the updates as they were instructed to. This really emphasizes the importance of applying available updates. Sites where the update was applied quickly likely did not experience any negative effects of the vulnerability, and if they did it was very limited. Updates to Drupal are certainly optional, but they are necessary to avoid headaches down the road, and this is proof of exactly why.
So don't be discouraged by all of the bad looking press related to this. I still stand by the idea that Drupal is the most secure platform available, but it is only as secure as you allow it to be. If you aren't applying the updates as they are available, you are likely putting your self at risk to have your site compromised. The big difference I see between Drupal and the other CMS options is that Drupal works diligently to fix module and core vulnerabilities as a habit. Many others aren't as diligent.