See https://friendi.ca/2019/07/01/happy-9th-birthday-friendica/

Automatic updates are enabled so the software is up-to-date.

I have several years of working with Wordpress sites. I've been called to fix "hacked" blogs more than I would have liked, and every time it was because the software hadn't been updated and malicious files had been uploaded.

It's a ballpark figure, of course, but if you haven't updated your blog in the week following an update release, you can be certain an automated script has been created using an exploit that has been fixed in the release, and your blog is vulnerable to it.

See https://friendica.mrpetovan.com/display/735a2029-135c-bb9a-e09f-072118931075 for an example.

How is all of this relevant to WordPress at all? It is the most popular blogging platform and as such is indeed receiving a lot of attention from hackers and script kiddies alike. Up-to-date Wordpress is secure, outdated Wordpress isn't. Not because Wordpress is bad software, but because how high profile it is.

Is a hack dating back two months old by your standards?

I'm afraid you're setting yourself an impossible standard that will possibly leave you regularly frustrated at people talking about potential vulnerabilities in popular software.

I agree with you that Roland's initial comment was both over-general and misleading (extra software isn't required and potentially adding additional vulnerabilities) but it still is Wordpress we're talking about, the current highest profile blog platform, which means it is crucial to update in a timely manner.

Let me take a comparison. Friendica isn't completely secure. Even when you just updated. And yet we haven't received any hacking report from admins. So the risk isn't related to how secure the software itself is or the upgrade delay. It is more closely related to how popular the software is and how extensive its features are.