We took a look at the plugin repository and discovered the following:

• There are currently a total of 37,300 plugins available in the WordPress.org repository
• 17,383 of those plugins have not been updated in the past 2 years.
• 13,655 plugins have a compatibility tag of 3.x. WordPress 4.0 was released in September 2014.
• 3,990 plugins have not been updated since 2010 which is over 7 years ago.
• There are 29,892 additional WordPress plugins in the plugin source code repository that are not listed in WordPress.org in the plugin directory.

Source: https://www.wordfence.com/blog/2017/05/22-abandoned-wordpress-plugins-vulnerabilities/

WordPress’s dependence on plugins turns out to be a double-edged sword; plugins are not tested by any WordPress core developer team to ensure they pass some form of QA before being added to the plugin repository. As a result, your site may fall victim to serious bugs and security vulnerabilities

Source: http://www.htmlgoodies.com/beyond/cms/slideshows/top-10-open-source-cms-options.html

Nowadays WordPress has become extremely vulnerable to hacking . . . given the huge range of third party additions (themes, plugins, etc.), ensuring any given installation is hacker-proof is pretty difficult.

Source: http://www.networkworld.com/article/3031095/security/is-it-time-to-give-up-on-wordpress-sites.html

Joomla suffers from the exact same issue that WordPress suffers from when it comes to plugins. Plugins are not tested against the system by Joomla core developers before being added to the repository (this same issue is persistent across a ton of CMS and isn't Joomla specific)and there are also a significant number of outdated plugins from 2010 - 2012 throughout the Joomla extensions directory.

Source: https://www.cmscritic.com/wordpress-joomla-and-drupal-are-not-the-best-cms/

Choose Plugins Wisely

Bottom line: it only takes one bad plugin to break or compromise your site.

In fact, a single missing semicolon can blast your entire site into a silent screen of empty white, or, worse, cryptic error messages.

That's how code works. (And you thought computers were "smart".)

Source: http://cms.about.com/od/build-your-cms-website/a/Choose-Plugins-Or-Modules-Wisely.htm

When a site does break, it's natural to blame the upgrade.

It's also totally wrong. That upgrade just fixed a bunch of bugs on your site, maybe even a few security holes.

Instead, blame the plugins or modules you've added. Plugins break sites, not upgrades.

Source: https://www.cmscritic.com/wordpress-joomla-and-drupal-are-not-the-best-cms/

Most plugins and modules are developed by different people than the developers working on core. So, every plugin on your site will have separate upgrades. All these teams are working independently. Any one of them can release an upgrade for their own plugin at any time.

Maintaining all these separate upgrades is one of the most time-consuming parts of running a website. (Although it's still faster than writing all your own code.)

Source: http://cms.about.com/od/cms-basics/g/What-Is-Core-And-Why-Does-It-Matter.htm

Bottom line: Systems that are heavily reliant on plug-ins are more apt to have security vulnerabilities for which there is no known patch. Why is this? Even frequently-used plug-ins are not always actively maintained and enhanced by their original developers.

Source: http://www.realstorygroup.com/Blog/1823-Beware-Drupal-Joomla!-plug-in-vulnerabilities

Plugins and extensions: the Achilles heel of popular CMSs

Source: https://www.htbridge.com/blog/plugins_and_extensions_the_achilles_heel_of_popular_cmss.html

PHP static code analysis vs ~1000 top wordpress plugins = 103 vulnerable plugins found

Source: http://blog.cinu.pl/2015/11/php-static-code-analysis-vs-top-1000-wordpress-plugins.html

Yes, Drupal 7 is officially available for download (get it here). But it's important to recognize that this is just the Drupal 7 core — the release status obviously does not apply to the thousands of modules (add-ons) contributed by the community. Although there has been much support from the community that supplies contributed modules, and an entire movement that pledged to have their modules D7 ready by release time, it hasn't exactly happened.

Source: http://www.cmswire.com/cms/web-cms/drupal-7-released-but-is-it-production-ready-009722.php

A bytecode cache is integrated with the PHP runtime at a very low level. Thus, if the development of the bytecode cache is decoupled from the development of the PHP runtime itself there is a risk of "running out of sync". More often than not it took both the vendors of commercial products as well as the developers of open source solutions months to adapt their bytecode cache after a major new version of PHP had been released. In the past, this gap was a contributing factor to the slow adoption of new PHP versions.

Source: https://wiki.php.net/rfc/optimizerplus

Browser Plugins – One Of The Biggest Security Problems On The Web Today

Source: http://www.makeuseof.com/tag/browser-plugins-one-of-the-biggest-security-problems-on-the-web-today-opinion/

At the time of writing there are an enormous number of plugins on WordPress.org. However, the vast majority of those plugins are:
out of date,
buggy,
bloated,
unsecure, or
a combination of one or more of the above.

Source: http://www.woothemes.com/2013/09/wordpress-plugins-ignorance/

Part of the reason for these vulnerabilities is that WordPress is fairly complex so interactions with plugins can produce unwanted and occasionally dangerous security issues. The other major reason is that the coding practices of third parties can be inadequate so dumb vulnerabilities such as buffer overflows and SQL injections can be part and parcel of some “must have” feature added by a plugin.

Source: http://www.networkworld.com/article/2908112/security-vulnerability-mgmt/how-to-avoid-getting-hacked-due-to-vulnerable-wordpress-plugins.html

Every developer should feel responsible for the entire application developed by their team. The entire team should be proud of the work accomplished. It makes the developers, and the product owner, happy in the long run.

Source: http://www.redotheweb.com/2014/02/27/collective-code-ownership.html

Too often new modules are contributed that do nothing new; instead, they only do it in a different way. We are then stuck with two modules that offer nearly similar functionality, but neither do it well enough. This leads to confusion, clutter, and a lot of inefficiency.

Source: https://www.drupal.org/node/23789

It’s harder to read code than to write it.

This is why code reuse is so hard. This is why everybody on your team has a different function they like to use for splitting strings into arrays of strings. They write their own function because it's easier and more fun than figuring out how the old function works.

As a corollary of this axiom, you can ask almost any programmer today about the code they are working on. "It's a big hairy mess," they will tell you. "I'd like nothing better than to throw it out and start over."

Source: http://www.joelonsoftware.com/articles/fog0000000069.html

Brooks distinguishes between two different types of complexity: accidental complexity and essential complexity. Accidental complexity relates to problems which engineers create and can fix; for example, the details of writing and optimizing assembly code or the delays caused by batch processing. Essential complexity is caused by the problem to be solved, and nothing can remove it; if users want a program to do 30 different things, then those 30 things are essential and the program must do those 30 different things.

Source: https://en.wikipedia.org/wiki/No_Silver_Bullet

In later discussions Torvalds explained the reasons for its choice: a fully modular architecture, like the one adopted for HURD, would have posed problems to a degree of complexity that it could have compromised the accomplishment of the project. To avoid such risks and keep the degree of complexity of the project as low as possible, Torvalds decided to design a monolith and he actually wrote all the architectural specs himself, avoiding all the problems related to collective projects (e.g. division of labor, coordination, communication).

... the act of decomposing a large software project into components is an activity that results, at its best, in a suboptimal outcome: some sources of interdependencies are well determined and taken into account in the design of components and interfaces, while others are not. In some sense, even careful decomposition of large software projects tends to be accomplished making trade–offs between sources of interdependencies, recognizing the more visible ones and disregarding the less evident or less important ones. These reasons, combined with the huge size of large software project, account for the difficulties in the subsequent integration – testing – assembly phases. Likewise, less careful decomposition results in even greater problems at the final stages of code integration.

Literature both in management and in computer science has clearly pointed out the pros and cons of modular design and we have already discussed the undervalued difficulties that designers face when they invent modular architectures for complex systems. Along with Simon’s perspective, it has been shown that the decomposition of complex problems in nearly–independent sub–problems (i.e. modules) is a complex activity itself (Marengo et al., 2001). At the beginning, designers do not know precisely how to conceptualize the modules of new artifacts; later, when a first conceptualization is reached, they still vaguely know how good is the chosen architecture, compared to the other that have not been considered.

Source: Modular Design and the Development of Complex Artifacts: Lessons from Free/Open Source Software, by Alessandro Narduzzo and Alessandro Rossi, DISA, Faculty of Economics, Trento University, OSS 2005 - Proceedings of the 1st International Conference on Open Source Systems 02/2003;

This is, I think, the most common way for my bug reports to open source software projects to ever become closed. I report bugs; they go unread for a year, sometimes two; and then (surprise!) that module is rewritten from scratch — and the new maintainer can't be bothered to check whether his new version has actually solved any of the known problems that existed in the previous version.

(snip)

But that's what happens when there is no incentive for people to do the parts of programming that aren't fun. Fixing bugs isn't fun; going through the bug list isn't fun; but rewriting everything from scratch is fun (because "this time it will be done right", ha ha) and so that's what happens, over and over again...

Source: Cascade of Attention-Deficit Teenagers" model (CADT), by Jamie Zawinski