Well, my conclusions are based on the code I’ve seen. As a disclaimer, I have a familiarity with each of the CMSs, but I don’t use any of them regularly. A few years back, I was interested in how CMSs were built, so I downloaded a bunch of them and tried to figure it out.
Drupal’s code is cleaner. They have coding standards and reviews. They have a fairly large security team. They also have a philosophy of not being strict about backwards-compatibility: is something needs to be fixed, or could be “done in a better way,” they do it. They maintain older versions for a certain amount of time (I think it’s just the most recent major branch), and then drop them. If some plugin relied on the mistake that is now gone, then the plugin is simply broken (unless the developer decides to go fix it, too).
Drupal is also very developer-oriented. This makes it harder for beginners, but better overall. Drupal is very scalable and extensible.
Now, going back to my earlier post, I’m not saying that WP is horrible. It’s fine for many purposes, as long as you take the effort to be informed and security-conscious. Of course, this is something you should always be doing, regardless of what software you choose.
If you’re looking to secure WP, there is plenty of advice online. Skip the ones that offer a plugin that does it all for you.