React, Flux, GraphQL, Hack, HHVM...? All of this and more!
WordPress, Joomla and Drupal are three systems that put together run a large chunk of the web. Content Management systems like these are nowadays a community and are continuously deployed by experienced professionals as well as amateur enthusiasts wanting to go online.
Open Source has become a powerful source on the web with many corporations running these tools, infact they're outright killing proprietary web publishing tools. One of these companies using these tools is Mossack Fonseca, the company whose customer information leaked through the web in the leak known as Panama Papers. Read about Drupal at Mossack Fonseca and WordPress at Mossack Fonseca.
Much like Windows XP in it's time these systems are very popular and potentially very unsecure. Not due to the nature of Open Source, but because they've become a widely available, interesting target for malicious activities when left without updates. These sites are often online for years and without proper maintenance they've got vulnerabilities which are widely known.
There is no tracking or central firewalls that can be put into place to protect a large number of WordPress installations, for example. WordPress does have an automatic security mechanism in place that delivers updates to the core software, but with much reliance on third party plugins this may not be enough.
There's often ton much thought given to deploying something "free", just as there's few thoughts of what happens to the used bubble gum you spit out on the street. So the next time you are about to deploy any software to the web, you should consider who will maintain this continously online application that has an abundance of CPU time and network bandwidth at it's disposal. You'll want to make sure someone is maintaining them.
Or maybe you want to look at something old for safer delivery by nature: Sleep safe with static HTMLTweet