Over a thousand posts in the Security Forum shows an active interest in security, especially when it comes to protecting your own site. Some posts are people that have had their outdated installations hacked, some posts are Dev and Security Teams giving general advice on how to protect oneself, and some are just users curious to learn more. Overall, there's a great interest in discussion around security.
The Joomla teams have repeatedly voiced how important security is. If Joomla isn't secure, then credibility can be lost. With less credibility, users will turn to other solutions for their needs. Once lost, credibility and trust take time to regain. So an ounce of prevention can be worth a pound of cure.
Security is not black or white. While you may or may not have heard the phrase "there's no such thing as 100% secure," it's definitely true when it comes to software—you can never be 100% secure or even 100% unsecure. Joomla is no exception.
Keeping Joomla users secure has been a daily exercise since day one. To best handle this, the Joomla Core Team recently created the Joomla Security Strike Team. Besides performing their own auditing, they look at each and every single report that comes in from users. Imagine what a tall task that is. Also imagine how many false reports come in or reports on an outdated install that already existed. It's a very time-consuming and detailed process, but completely necessary to keep Joomla as rock solid as it can be.
Users need to keep firmly in mind that security doesn't stop there. You, as the user, need to be aware of any vulnerabilities a third-party extension can cause. With almost 4000 "tidbits of goodiness" in the JED, it's hard to resist all those wonderful extensions that enable you to do just about anything you can imagine. But there's some due diligence when using third-party extensions. Check the developer's Web site thoroughly. Is there a support forum? Are users experiencing serious issues? Is there a reasonable response time from the developer? Naturally, whenever you use a new extension on your site, you're first testing it on a "sandbox" site (a duplicate of your live site for testing), right? You have a system for backups, right?
To say that Joomla is not secure is to say that it's always sunny in California. It's a generalization that's just not true. If your site was hacked, you'd immediately think "That damn Joomla!" because the culprit may not be initially apparent. Only after you've verified all third-party extensions and updated to the latest version of Joomla can you THEN point a finger at the Joomla Security Strike Team. But if you're not doing both of these things on a regular basis, then you're leaving yourself open and there's nobody to blame but yourself.
Security is a process, not a state.