The WordPress vulnerability issue is one many publishers take on as a normalised menace whether they know it or not.
A periodic scan of WordPress-based publisher sites reveals that of 117 total sites surveyed, only 23 were running the latest WP version 6.2.2, which was released one month ago.
Additionally, 65% of the sites, 76, had issues classed as a "vulnerability" according to the scan, which used WordPress Scan.
The volume and tempo of WordPress vulnerabilities hasn't really changed over the past several years. Last month came the news that a WordPress security plug-in was insecure, affecting over a million sites. Look back another month, and there's another major issue, and so on.
It's inevitable, given the sheer volume of sites on WP, that such issues occur and we all know how determined hackers are. All systems require maintenance.
Yet this maintenance is a cost either publishers must accept in order to eliminate risk to their publishing systems, or they must be able to live with a degree of risk, a risk made more complex as each each WordPress install becomes a unique install over time, as customisation occurs.
Whether that degree of risk is fully appreciated, or whether "everyone else does it" is comfort enough is a point worth considering.