Yes, for the most part.
The major drawback of WordPress is that, unlike Joomla!, it does not route all requests through one file (index.php) but several .php files which are scattered around the filesystem. We have now mapped and cataloged these files which allows us to provide a .htaccess Maker for WordPress. There is a caveat, though.
First, the wp-admin folder's .php files cannot be reasonable cataloged since they can change between releases. Therefore the .htaccess Maker has to allow executing all .php files inside those folders. As long as you use the "Administrator password protection" feature in conjunction with .htaccess Maker you are protected. If you use one but not the other it's possible -depending on your host- that a hacked subdomain (or even a different site altogether) may be able to put malicious files in your wp-admin folder and bypass security measures. This is a risk which does not exist on Joomla! as long as you're using both the frontend and backend protection feature of the .htaccess Maker.
The other fundamental flaw has to do with the code quality of third party plugins. Most of these plugins are written by people who are not professional PHP developers. In fact, since the WordPress plugin directory forbids listing for-a-fee software and demands plugin owners to provide free support it's extremely unlikely that you will find good code written by professionals in there. The exceptions are those who sell software-as-a-service or those who push their paid code through a free plugin. Most of the plugins you will find in there range from moderately dangerous to "COME AND HACK ME". Admin Tools for WordPress will stop most of the damage made possible by shoddy plugins. I would still recommend caution on what you install, though, and keeping both backups and an eye for any anomalous activity on the site.
Speaking of the WP Plugin Directory, I have seen takeovers by unsavory people. Semi-popular plugin written by a sole developer who's making no money and has to do free support (thanks for nothing, WP Plugin Directory!). Someone comes and asks to buy the plugin for $10,000. Developer says "hell, yeah". Unsavory dude lays low for a few weeks. Then he pushes a minor update with a few bug fixes and a minor new feature... and some nasty spyware, malware or spam code to make things more spicy! The unsuspecting site owner installs the update, ostensibly from the reputable developer of the semi-popular plugin, and their site is effectively hacked from the inside, bypassing all security measures. This is not possible with the Joomla! Extensions Directory for many reasons. With WordPress? The view of the Directory is that this kind of behavior will lead to bad reviews and eventually people will stop using the plugin. So, please, please, please be careful what you install ESPECIALLY if it comes from the WordPress Plugin Directory.
So, would I use WordPress? Yes, for some sites. Small business sites are better off using WP than anything else and your clients can update the pages without you having to take 100 calls per page changed -- oh, you will still make money fixing their bad edits, don't worry about that. I would use it for news / blog sites -- as long as the editors are willing to put up with the rolling dumpster fire that the soon-to-be-obligatory Gutenberg editor is. Really, before considering WP try out Gutenberg and keep in mind that it will be the obligatory default editor in a few short months. This is what convinced me to NOT convert my blog to WordPress (currently it's Joomla). I kid you not. You have to see it to believe it. Oh, yes, of course: the main use case for WordPress nobody admits to is e-commerce sites on the cheap. Back in the early 10's we were using Joomla + VirtueMart. Now people use WordPress + WooCommerce. It's the same idea: e-commerce quick and easy and may God have mercy on our souls. As for more complex sites I would definitely consider all options depending on the client specifications, scope, budget, deadlines, the experience of the team building the site, the experience of the build managing the site etc.
Just remember that security is not a black/white situation. WP + Admin Tools is not that much more insecure than Joomla + Admin Tools. It's still easy for someone managing a site to install the wrong plugin and undo your security. With Joomla! you can disable that feature or use ACLs to lock down the site. With WP you can't remove installing plugins but you can use Roles to prevent the inexperienced manager from screwing up. In the end of the day you have to do the balancing act of security.
Nicholas K. Dionysopoulos
Lead Developer and Director