Security against hackers

I have some own and some client WP sites running. Suddenly I got emails that for my user the password reset was requested, although nobody did this. So I started to have a look at the security.

How comes that it is possible for hackers to get a list of users?

After installing some plugins I realized that Vulnerability checks are done the whole time, bots are trying to log in all the time, in one event they even managed to have an application password set up and posted their stuff under a users name.

WP seems to be so vulnarable in so many ways, why is that?

Why do I have to avoid things myself through simple htaccess entries (block checking user IDs, switch off XML-RPC, avoid search folders, avoid XSS attacks, content sniffing and klick-jacking) or by using external plugins to block brute force or bots and to block spam?

Why do I have to change the functions.php myself to switch off the author archive, change REST-API behavior, change login error messages (“User ID OR password is wrong”), get rid of oEmbed discovery links in the source text?

This all should be incorporated already in a good content management system I think…