It would seem to me that the reason that WordPress might be considered not as secure as something like Drupal
In my mind, Drupal is on an equal playing field with WordPress. They both use PHP and MySQL. Many times, the exploits will be exactly the same.
WordPress is the most popular CMS so it makes it a bigger target.
This implies that there is such a thing as “security through obscurity” and that’s just simply not true. It’s a false sense of security. The REAL reason WordPress is insecure is because it’s so effing powerful. It can manage enormous sites, with an enormous amount of content and be totally dynamic, adding new content in real time is a breeze.
That kind of power though comes with great responsibility and a HUGE liability. You can cache static content but a lot of what’s on WordPress is dynamic. That means a PHP script calling the database every single time a page is requested. That kind of power will always be an attractive target, whether it’s WordPress, Drupal or Joomla. It doesn’t matter.
It’s that communication with the database on the server where you’re most susceptible. Now, this is true for many languages and many platforms. And… in many, many circumstances, static content is just not an option.
But keep in mind, reactive things like “spam protection” or “anti-spyware” will not totally solve your problem. All these things do is protect against widely known vulnerabilities. But in some cases, what is known as a zero-day exploit will exist for 5-6 months before it’s widely known. Savvy people, the type of people you’re trying to protect yourself from, can and will use these for months without anyone knowing.
I would maybe look into administering that server in-house if its at all feasible.