The best would have to be a customized organic system that was built from the ground up.

With such a system, hackers will have no idea of the architecture that was used, nor will they know the vulnerabilities. Of course the developers will need to meet the laid security policies, such as but not limited to SSL. They will also have to comply with the "Best Practices" in security.

With open-source-ware, hackers can easily study the open code, identify where the weakness is, then attack, while on the other hand, with a customized web app or website, the hacker would have to depend on luck, such as guessing a password. But before they can even begin guessing the password, they will have to find out where the login page is, since it is a customized system.

Even if joommla is fully updated, the plugins can open doors to the system and make the system vulnerable to hacks.

Yes, carelessness can also contribute to vulnerabilities.

A list of unsafe Joomla plugins:
http://docs.joomla.org/Vulnerable_Extensions_List

From SQL Injection to cross site scripting, and everything in between.

If you really do depend upon using an existing system, I would then highly recommend a migration to Drupal. It is powerful, highly customizable, not as easy to use compared to joomla. It is faster, more stable, more scalable and more secure, but an organic system is better.

A good comparisson of wordpress with joomla with drupal:
http://www.socialtechnol...omparison-cms-solutions

Anyone migrating to drupal will love CCK & Views - One or drupals best kept secrets.

Remember, even though there is technology to develop database driven websites, it is not always a must to do so, static websites have a place too. They are much more secure and faster than the best database driven websites. There is almost no vulnerability from the site itself. Should the site be disrupted, it would highly probably be from an attack on the server.

DDoS attacks on the server are common, that is what happened in the recent attack on the US Gov sites following the SOPA saga. A DDos attack is not really a hack, it simply causes the server to crash by flooding it with requests. DDos attacks cannot be prevented by the type of application or website running on the server. Once the server is down, rebooting it is probably all that will need to be done, to bring it back up, but going further to adjust the firewall rules based on the patterns that was observed in the log files, will help minimize the effects of future attacks.

Yes, CCK and template overrides can be done in Joomla, but they do not come close to what can be accomplished with CCK & views in Drupal, more especially with views V.2 & V.3.