The problem is that people that run 12 page websites are probably more likely to not keep up with upgrades, and to consequently have their sites broken, passwords gotten, etc.
The original comment is not quite right. It's not that WordPress is now a "CMS Framework" with blogging bolted onto it. It's actually the other way around: a CMS framework is bolted onto a simplistic and fairly faulty blogging platform.
If you use it as a blogging platform, or to run a mostly static site, sure it works. But try to actually build something on this "framework" and you'll run into all kinds of ugly. Things like BuddyPress, ecommerce plugins, etc. all are a mess because you can't turn a blog into a social network or an online store any easier than a Prius into an 18 wheeler.
And WP is not versatile. It's just that PHP has no rules. Anyone can do anything at any time. Don't want to wire proper plumbing into your framework to pass some variable to the right view? Just declare a global variable! Don't have access to the right set of posts? Query the database directly!
So my argument against WP is not that it's a bad blogging platform. It's that blogging is all that's it's good for, assuming you spend every minute of every day checking for security updates.
WordPress initial purpose was for blogging, later it grew along with demand and real world usage to become a more robust, capable versatile CMS. The blogging architecture is still front and center however. While there are definitely limitations to what WP should responsibly be used for, some folks like to hash out poorly constructed ones.
Take the security updates aspect - it doesn't matter software you use - it will need updating. A vigilant attitude toward security should be the default for serious sites, regardless of the software used.
Same with cars, they can suffer all kinds of problems if not properly maintained. You can't force the car owner to take the car into the shop to perform said maintenance. That doesn't make the car fundamentally bad.
When people say something to the effect 'WP isn't secure', it's often made as a blanket statement to make it sound like WP is fundamentally weak. There have been very little serious problems with WordPress core itself. Security concerns and exploits are the reality of any software that is widely used, WP is no exception, but it's to be expected. If anyone likes to share any powerful software in use that has millions of users and manages to evolve constantly and stay perfectly robust against any imaginable attack - I'd like to hear some examples.
Back in the real world, what counts is building useful products that matter to its end-users.
The original comment is not quite right. It's not that WordPress is now a "CMS Framework" with blogging bolted onto it. It's actually the other way around: a CMS framework is bolted onto a simplistic and fairly faulty blogging platform.
If you use it as a blogging platform, or to run a mostly static site, sure it works. But try to actually build something on this "framework" and you'll run into all kinds of ugly. Things like BuddyPress, ecommerce plugins, etc. all are a mess because you can't turn a blog into a social network or an online store any easier than a Prius into an 18 wheeler.
And WP is not versatile. It's just that PHP has no rules. Anyone can do anything at any time. Don't want to wire proper plumbing into your framework to pass some variable to the right view? Just declare a global variable! Don't have access to the right set of posts? Query the database directly!
So my argument against WP is not that it's a bad blogging platform. It's that blogging is all that's it's good for, assuming you spend every minute of every day checking for security updates.