Just because you have not found vulnerabilities, it does not mean they do not exist. This Drupal vulnerability sat there for a while before a security code audit found it.

What are you using to build sites now? When was the last time the codebase was audited by a security firm? There might be bullets out there for you...

Exactly. Not enough eyes on enough code these days. I've found obvious bugs in almost every framework or CMS I examined so far :)

What are you using in place of those? Wouldn't your clients normally pay for maintenance?

The killer here is:

"Consider obtaining a new server, or otherwise remove all the website’s files and database from the server. (Keep a copy safe for later analysis.)"

I replaced Wordpress with a home-built solution that is drastically simpler. It retains most of the URL compatibility so links wouldn't break, but it has only a tiny fraction of the functionality of Wordpress (most of which we didn't use anyway). It's entirely possible that our solution has vulnerabilities (though we designed it with security in mind, and the code base is much easier to audit due to its simplicity). But at least it's not going to get compromised due to a generic Wordpress exploit.

There would be a lot of demand for a much simpler WP alternative built with security in mind. Would you by any chance be open sourcing the project? More eyes on the source couldn't hurt.

We ourselves built a project with speed and security in mind and are working on open sourcing it in 2015

For my monthly subscribing clients, I use an MS stack (with Azure) with Visual Studio and then have them on the $20/month CloudFlare plan.

Included in their monthly sub is an update service. I maintain a 24 hour turn around on any changes. This way, I get to control my code, then don't break their site, and everybody plays nice.

Lately, I've been using PyroCMS or KeystoneJS for a lightweight CMS when necessary. Most of my CMS customers are one-time dev deals. I design, build and then hand it over to them so I'm not responsible for security or updates - which is something I have in the contract they sign.

By doing so, the clients I need to maintain control over (in a security sense) I can and then I don't have to take chances with WordPress or Drupal. I've been a fan of Drupal, so it's tough to see they got hacked pretty good. Usually its plugins which get hacked, so getting the core of your framework hacked is a huge deal.

Statically-generated site with client-side customization?

You still have server-level vulnerabilities to contend with. It might be a simpler task to maintain server-layer security and not have to worry as much about application-layer, but security is still something that needs to be dealt with, if you have a server that is powered on and connected to a network.

Host with a private repo on Github Pages.

Why? Didn't they plan for security updates?

Most of the smaller web design shops that create WordPress or Drupal sites for customers either don't do updates or offer it as an optional paid add-on that many customers don't subscribe to.