CMS security issues, what are they and what's the defence?

I was having a chat with a Drupal client yesterday and the subject of security came up. I’ve always been impressed with Drupal’s security track record but I don’t have any illusions that if a site becomes a target it will be able to deter a motivated and clever attack.

As far as I know there aren’t any glaring security issues with a fully patched Drupal site unless the developer creates them with bad server permissions, unsafe code in custom module/theme code or just stupid passwords but I have read quite a few “Help, my xxxx site was just hacked” posts and even some very detailed informative articles about how some platforms have suffered security vulnerabilities.

If you search the (US) DHS Vulnerability website (http://web.nvd.nist.gov/view/vuln/search) using Drupal, WordPress, Joomla, etc… You’ll see hundreds vulnerabilities. I filtered my queries to last 3 years and last 3 months to get useful results. That said, I think it’s safe to say a lot of the vulnerabilities listed can be dismissed because they often have nothing to do with the core software and everything to do with contributed modules. If you aren’t using the module that has a flaw or you have the version that has been patched against the vulnerability you won’t suffer from the vulnerabilities listed. I just reviewed the list of vulnerabilities listed for Drupal (last 3 months) noted that my sites were safe because they either didn’t use the modules noted or they were running the latest versions that were patched against the vulnerabilities. It doesn’t mean that they are future proofed against vulnerabilities but it does mean for the moment they seem to be on the safe side.

So, I’d like to start a discussion to cover some of the security issues that exist and maybe come up with some techniques to improve the security on these sites. Does anyone here put thought into security issues when scoping out a new website project; if so what’s your process?