For sure. I've worked at orgs where we disabled package vulnerability scanners because they created a constant stream of upgrading busywork. So many "vulnerabilities" are things like "JavaScript prototype pollution in this package that does something in your build toolchain". So much noise and so very little signal, the incentives of these scanning and vuln tracking companies just aren't aligned well I don't think.

Nowadays I tend to more rely on tech news to hear when there's an actual serious vuln I need to address.

(Note I'm not advocating everyone do this. Do your own risk assessment).

Note that tech news is biased towards flashy or relatable security issues. Nobody is going to n-day your phone (though you should, of course, keep it up to date). It's your Drupal you should worry about.

With that said, there is a long and proven track record of attacks on phones.

But those tend to be against journalists and activists.

What threat model you operate under is a nontrivial problem.

Right, those posts are kind of like newspaper articles about shark attacks

The issue is that understanding what is actually exploitable and what is actually a part of your threat model is difficult, it's a pretty high bar, a bar not met by most people that typically have decision making power around a product or service. It's a huge problem but it's not particularly easy to fix so it's pretty obvious why the industry has taken the route of deciding certifications and scans = security and that vulnerabilities only exist if they have a CVE assigned, and anything with a CVE assigned must be an actual problem.

I read it as "certifications and scams" :)

I had someone argue that Wordpress had terrible security.

The only CVE's it had for 2 years only happened if you allowed random users to sign up.

There is a firewall plugin and basically the only thing it does is check if you have outdated plugins and log all the times a bot tried to log in by going posting user:admin password:admin to /wp-login.php. It's rare but a few of them tried my domain name as username instead. It sends me e-mails about new vulnerabilities found, and it's always some plugin. Sure, some of them are "installed" in thousands or millions of websites, but it's never anything in the Wordpress core itself.

If you hide /wp-login.php and avoid dependencies, it's practically impenetrable since it has to be the most battle-tested CMS out in the wild, and yet people swear it's Swiss cheese of security holes.

xml-rpc.php paid for my pool... but I freely admit to a degree of "because the scanner said so".

"WordPress is fairly secure as long as you don't use any extensions and don't let arbitrary users sign up" is technically true, but it's no surprise that a lot of WordPress use cases collide with these two things.

For example, a WooCommerce site is both more sensitive than a blog and more likely to have sign-ups open and functionally necessary additional plugins running.

For better and for worse, WordPress is the ecosystem, not just the software itself.

I will not spend time figuring out your setup and threat model, I'll tell you that it might be exploitable. If you want someone to do that, pay them.

But you will spend time sending threatening emails with COULD and MAYBE? :)

If that's threatening for you then that's your own problem.

The stars do align, more often then you would believe.

No, they really don't. Exploits are rare, relative to the amount of code being run. And most "threats" are discussed absolutely, instead of relative to a threat model and mostly devoid of any context.