How Secure is Drupal — is it as Good as They Say it is?

From... https://blog.acromedia.com/how-secure-is-drupal-is-it-as-good-as-they-say-it-is

Drupal meets Open Web Application Security Project (OWASP) standards
“OWASP is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software.” They have identified a list of Top 10 security risks to help guide online software security development. Drupal’s security is designed to meets OWASP standards and is actively screened to continually prevent future risks.

For a more detailed look at how Drupal addresses each of the OWASP Top 10 security risks, view the Drupal Security White Paper (PDF).

Drupal Security Team
Drupal is used by millions of websites, so the security of the platform is taken very seriously. Formally formed in 2005, the Drupal Security Team consists of about 40 security experts from around the world, whose task is to analyze and report security vulnerabilities discovered in the core Drupal platform and community-contributed modules. The team then provides resources and assistance to resolve the issues, as well as generate documentation to help developers write secure code and protect their sites.

Here’s a fun infographic about how the Drupal Security Team works to keep Drupal secure.
https://www.acquia.com/sites/default/files/blog/Drupal-security-release_rgb-cc-by-nd.jpg

A huge community keeping constant watch
The Drupal community is one of the largest in the world, with over 1,000,000 developers, designers, trainers, strategists, coordinators, editors and sponsors all working together to shape the platform. With all of these eyes continuously reviewing code and functionality, you can be sure that any security vulnerability will be reported to the Drupal Security Team and dealt with quickly. It is extremely rare that any serious vulnerability will ever make it into an official core software release.