It's all well and fine to say it's secure but part of the issue is a lack of transparency about what WP does to review it's code and ensure the core is tight and secure.
Lack of transparency? How? Have you visited the developers' blog? The entire development effort is open and you can alway browse the source.
I'm not sure exactly what you are referring to but security is taken very seriously and everything about WordPress is open and transparent.
There's the Hardening WordPress Codex link.
Which has a section on reporting security issues.
Which also links to the FAQ Security.
To me this is the critical part of that FAQ.
- For a WordPress plugin security issue, email plugins [at] wordpress.org with as much detail as you can. You should also contact the plugin developer either via email (if it's listed in the plugin source code), or by posting in the support forum on their plugin page asking how best to send them details.
- For a security issue with the self-hosted version of WordPress, email security [at] wordpress.org with as much detail as you can.
In all cases, you should never publish details of a security vulnerability. Doing so is irresponsible and unprofessional.
See that last part? I happen to agree completely with that last statement. The important thing about an identified vulnerability is to fix it. It's not for providing a road map on how to exploit older versions.
The problem with talking about security and WordPress is that the topic becomes a dog whistle. Too many folks just respond to the whistle and start with a mistaken premise.
Security should be talked about but without the preconceived notion that WordPress is insecure. When a vulnerability or exploit is determined (or even a POC) it get's a patch and an update is rolled out. That doesn't make WordPress insecure or lack transparency.