Drupal is known for it's large number of community contributed modules that add functionality to the bare bones core system. While the core system is actively maintained by the Drupal core security team, there is no such guarantee for the third party modules.
The Drupal security team has announced critical updates in the Drupal software. Related to comment visibility, cross site scripting and unauthorised export of all configurations:
For the comments editing a user without the permission to administer comments the visibility of nodes can be set. Whoever has rights to edit a node can also change the visibility of comments for that node. This issue is not critical.
Recently a giant information leak revealed a number of individuals practising tax evasion using the Panamanian company Mossack Fonseca. In wake of the stories revealing the culprits behind the evasion itself Forbes has done investigative journalism to find the reasons that lead to the leak itself.
The surprising suspect is Free Software. The championed tools that are related with freedom of speech and freedom from evil corporations are indeed used largely everywhere - for good and evil.