WordPress’s dependence on plugins turns out to be a double-edged sword; plugins are not tested by any WordPress core developer team to ensure they pass some form of QA before being added to the plugin repository. As a result, your site may fall victim to serious bugs and security vulnerabilities
Nowadays WordPress has become extremely vulnerable to hacking . . . given the huge range of third party additions (themes, plugins, etc.), ensuring any given installation is hacker-proof is pretty difficult.
Joomla suffers from the exact same issue that WordPress suffers from when it comes to plugins. Plugins are not tested against the system by Joomla core developers before being added to the repository (this same issue is persistent across a ton of CMS and isn't Joomla specific)and there are also a significant number of outdated plugins from 2010 - 2012 throughout the Joomla extensions directory.
Most plugins and modules are developed by different people than the developers working on core. So, every plugin on your site will have separate upgrades. All these teams are working independently. Any one of them can release an upgrade for their own plugin at any time.
Maintaining all these separate upgrades is one of the most time-consuming parts of running a website. (Although it's still faster than writing all your own code.)
Bottom line: Systems that are heavily reliant on plug-ins are more apt to have security vulnerabilities for which there is no known patch. Why is this? Even frequently-used plug-ins are not always actively maintained and enhanced by their original developers.
Yes, Drupal 7 is officially available for download (get it here). But it's important to recognize that this is just the Drupal 7 core — the release status obviously does not apply to the thousands of modules (add-ons) contributed by the community. Although there has been much support from the community that supplies contributed modules, and an entire movement that pledged to have their modules D7 ready by release time, it hasn't exactly happened.
A bytecode cache is integrated with the PHP runtime at a very low level. Thus, if the development of the bytecode cache is decoupled from the development of the PHP runtime itself there is a risk of "running out of sync". More often than not it took both the vendors of commercial products as well as the developers of open source solutions months to adapt their bytecode cache after a major new version of PHP had been released. In the past, this gap was a contributing factor to the slow adoption of new PHP versions.
At the time of writing there are an enormous number of plugins on WordPress.org. However, the vast majority of those plugins are: out of date, buggy, bloated, unsecure, or a combination of one or more of the above.
Part of the reason for these vulnerabilities is that WordPress is fairly complex so interactions with plugins can produce unwanted and occasionally dangerous security issues. The other major reason is that the coding practices of third parties can be inadequate so dumb vulnerabilities such as buffer overflows and SQL injections can be part and parcel of some “must have” feature added by a plugin.
Every developer should feel responsible for the entire application developed by their team. The entire team should be proud of the work accomplished. It makes the developers, and the product owner, happy in the long run.
Too often new modules are contributed that do nothing new; instead, they only do it in a different way. We are then stuck with two modules that offer nearly similar functionality, but neither do it well enough. This leads to confusion, clutter, and a lot of inefficiency.
This is why code reuse is so hard. This is why everybody on your team has a different function they like to use for splitting strings into arrays of strings. They write their own function because it's easier and more fun than figuring out how the old function works.
As a corollary of this axiom, you can ask almost any programmer today about the code they are working on. "It's a big hairy mess," they will tell you. "I'd like nothing better than to throw it out and start over."
Brooks distinguishes between two different types of complexity: accidental complexity and essential complexity. Accidental complexity relates to problems which engineers create and can fix; for example, the details of writing and optimizing assembly code or the delays caused by batch processing. Essential complexity is caused by the problem to be solved, and nothing can remove it; if users want a program to do 30 different things, then those 30 things are essential and the program must do those 30 different things.
In later discussions Torvalds explained the reasons for its choice: a fully modular architecture, like the one adopted for HURD, would have posed problems to a degree of complexity that it could have compromised the accomplishment of the project. To avoid such risks and keep the degree of complexity of the project as low as possible, Torvalds decided to design a monolith and he actually wrote all the architectural specs himself, avoiding all the problems related to collective projects (e.g. division of labor, coordination, communication).
... the act of decomposing a large software project into components is an activity that results, at its best, in a suboptimal outcome: some sources of interdependencies are well determined and taken into account in the design of components and interfaces, while others are not. In some sense, even careful decomposition of large software projects tends to be accomplished making trade–offs between sources of interdependencies, recognizing the more visible ones and disregarding the less evident or less important ones. These reasons, combined with the huge size of large software project, account for the difficulties in the subsequent integration – testing – assembly phases. Likewise, less careful decomposition results in even greater problems at the final stages of code integration.
Literature both in management and in computer science has clearly pointed out the pros and cons of modular design and we have already discussed the undervalued difficulties that designers face when they invent modular architectures for complex systems. Along with Simon’s perspective, it has been shown that the decomposition of complex problems in nearly–independent sub–problems (i.e. modules) is a complex activity itself (Marengo et al., 2001). At the beginning, designers do not know precisely how to conceptualize the modules of new artifacts; later, when a first conceptualization is reached, they still vaguely know how good is the chosen architecture, compared to the other that have not been considered.
This is, I think, the most common way for my bug reports to open source software projects to ever become closed. I report bugs; they go unread for a year, sometimes two; and then (surprise!) that module is rewritten from scratch — and the new maintainer can't be bothered to check whether his new version has actually solved any of the known problems that existed in the previous version.
But that's what happens when there is no incentive for people to do the parts of programming that aren't fun. Fixing bugs isn't fun; going through the bug list isn't fun; but rewriting everything from scratch is fun (because "this time it will be done right", ha ha) and so that's what happens, over and over again...