One concern from potential clients that we have heard on occasion, has been that Drupal has a lot of security updates and that this phenomenon might be an indication that Drupal is inherently vulnerable. I can't fault people for thinking that way, if there was a fire alarm going off in your work place on a regular basis one might start to become overly sensitive to the notion that the place was at risk of burning down.
Let's look at this from a different perspective, that it is in fact a very good sign and an advantage that places Drupal ahead of other competiting CMS products. First of all let's look at some actual figures for the number of security updates for Drupal. On Drupal.org we can find a record of the number of security advisories going back many years.
Number of Security Advisories
(for Drupal core and contributed projects per year)
As we can see from this table above, there are more advisories for contributed modules than Drupal Core itself, but many contributed modules are still considered too important to not use on a regular basis, so it is relevant. So where do these security advisories come from? This is one of the things that helps set Drupal apart from other open-sourced systems, it is that there is a Drupal Security Team.
The Drupal Volunteer Security Team
The security team is an all-volunteer group of individuals who work to improve the security of the Drupal project. Their primary task is to resolve reported security issues in a Security Advisory and also provide assistance for contributed module maintainers in resolving these security issues.
So, while I can understand that it is annoying to have to regularly apply security updates, these advisories are actually a great indication that really smart people are looking out for the viability and strength of Drupal as a CMS, by working with the community to find issues and then to provide updates and even guidance on how to fix issues with contributed modules.
Not Knowing About Vulnerabilities Doesn't Make You Safe
Many other Content Management Systems that offer a similar feature-set as Drupal do not have this kind of organization in place to monitor and respond to reported vulnerabilities. At best, you may see some rumblings on forums within the community, at worst you may be entirely on your o