First, the methodology. Candidate CMS's are the top ten listed in CMS Matrix when sorted by compares (BTW, Plone comes in sixth). The source for my security data is the National CVE and CCE Vulnerability Database, searching each candidate CMS for vulnerabilities listed in the past 3 years and past 3 months. The highest level of vulnerability in the past 3 months were counted and totaled as a "Seriousness" score. Here they are in alphabetical order.
|CMS||3 yr. vuln.||3 mo. vuln.||Seriousness|
Second, the results. I'm pleasantly surprised that 5 out of 10 turned up with no vulnerabilities in the past 3 months. However, of those only PHP Nuke has a better 3-year number of vulnerabilities. TYPO3 and Joomla have a much larger number of vulnerabilities rated "high" by the National Vulnerability Database than all the rest combined.
Typically one hears defenses like "CMS x has more vulnerabilities reported because it is more popular/has a larger install base and therefore has more eyes looking for problems." That's the same argument Microsoft put forward for all its security flaws when compared with Linux. You don't want to go there.
But even putting aside the logical fallacies in such arguments, both pro and con, it's clear that systems with more security flaws require more effort to patch and lock down. The bottom line is that more flaws mean more chances for the sys admin to slip up and more opportunities for the bad guys.
By way of an anecdote, at my day-job our computer security people were much relieved to learn that we were using a non-PHP-based CMS. On that note, Happy World Plone Day 2010.