I think you need to account for the base rate. There's a lot of WordPress plugin vulnerability disclosures because there's a lot of WordPress plugins and there are enough deployments of the plugins to make searching for those vulnerabilities is worthwhile.

That site warns that WordPress plugins can be abandoned, but that's clearly not a WordPress specific issue. Sure some site could use SSG, but that's a different design.

I certainly don't want to claim WordPress security is good, but I'm not sure that site is measuring anything meaningful.