At this point , no matter what people recommend , it will always have someone who will say
"that cms sucks"
"that cms has horrible code"
"why would you even"
and I could go on.
In truth , it doesn't matter what cms you use. It's matter of how knowledgeable you are. The more you understand of mysql/mysqli and php , the lesser you need to worry about exploits , as you can patch them yourself.
My favorite cms , until today has always remained UberCMS . I even loved @
Jonteh's ubercms 2.0.1 , despite how many people kept criticizing it for exploits and backdoors , but with just enough effort , you can always clean out the thrash. But that's my liking.
If you are going to ask me , I'm going to recommend RevCMS , and I don't care what people say , but yes , it is said to be the safest out there (without all the plugins) though yes there are a few threads out there with it's known exploit fix
https://forum.ragezone.com/f353/revcms-fix-1012326/
But overall , yes this is my point of view , if you don't agree you don't have to work on it , also best of luck with your experimenting :)