Across the 25 frameworks WebPulse tracks, there is a clear inverse correlation between detection volume and security score. The most detected frameworks have the most CVEs. The least detected have the fewest. The relationship is not subtle.
The Data
Causation, Not Just Correlation
The relationship isn't just 'popular things get more scrutiny.' The architecture matters. WordPress, Joomla, and Drupal are monolithic PHP CMSs with plugin ecosystems, database dependencies, and server-side execution on every request. Each component is an attack surface. Each plugin is a supply chain dependency.
Modern frameworks like Astro, Hugo, and Eleventy produce static output. No database, no plugins, no server-side execution. The attack surface is fundamentally smaller — not because fewer people are looking, but because there's less to find.
The Structural Argument
This is not a 'PHP is bad' argument. Laravel scores 92/100 despite being PHP. The difference is architecture: Laravel enforces input validation, parameterized queries, and CSRF protection by default. WordPress leaves these to individual plugin developers — and 60,000 plugin developers make 60,000 different security decisions.
