IIUC the main problem with security (and how most WP sites get pwned) is the plugin ecosystem. There are thousands of plugins out there, which means that among many secure ones, there are also many (very) insecure ones. If you’re judicious and don’t install low-quality plugins, it shouldn’t be a major problem.
WordPress itself has automatic updates turned on by default, so if a vulnerability is patched in WP core, that will land on your site automatically without any effort on your part.
One plugin that’s I use on my WP sites is the free version of the Wordfence firewall. While not really necessary given the above, it does give me a little peace of mind.
All that said, the main draw for WP is to be able to manage a website without having to touch code. If you’re happy to write your pages by hand, a static site generator is definitely a lot more lightweight than a CMS like WordPress.
That and without an income source, you can’t pay content creators, so you can’t attract them to the platform in the first place. People dislike YouTube for running ads, but the ads are what pays for the videos.