Is WordPress the most vulnerable website hosting tool?

You can, for example, take a look at their vulnerability reporting policy and how it interacts with plausible customer needs. For example, suppose I don't want the public to read my blog posts while they're still in Draft status. Furthermore, I care about this even if it would be "complex" for a member of the public to do so, perhaps because they would first have to "gather information" about how I've installed WordPress. The vulnerability score for this situation turns out to be 3.7: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H...

Now, https://hackerone.com/wordpress says "We generally aren’t interested in the following problems: Any vulnerability with a CVSS 3 score lower than 4.0." It doesn't say something like the vulnerability will be treated with lower priority, or that there may be a delay before the vulnerability is fixed. No. It aays "generally aren’t interested." So, I'm not sure why I would ever use WordPress if they would indeed be "uninterested" in fixing a security problem that's relevant to me.

Of course not. I trust core Wordpress and a small set of vetted plugins far more than a very new CMS.

The trick is to restrict yourself when it comes to plugins.