The simplest one is: Because it exists and it is open source.
We are addressing the issue from both perspectives - WordPress and Joomla, as both CMSs are open source.
Last year WordPress released an update in which they announced that they had fixed a small security leak in the WordPress API. Within a few hours, 1.5 million WordPress sites were hacked through that leak because they were not updated immediately!
Because WordPress and Joomla! are open source systems the source code is open to everyone. So hackers can also browse around looking for weaknesses, leaks, and entrances that they can use to hack sites.
Many site owners think that their site runs little risk of being hacked.
Here are a few reasons why hackers - with all due respect - are also hacking „relatively simple sites”:
Fortunately, we have a way to help your site avoid becoming one of the statistics – SmartUpdater! A revolutionary way to automatically apply your Joomla and WordPress updates.
Not only can it keep your core CMS up-to-date, but it can also update your Themes, plugins, components, and modules. More information about our SmartUpdater and how it can help you can be found here on our site.
If you already know how to do this, it is, in any case, a lot of work that can not wait and therefore has to be carried out immediately.
You MUST really update your site - immediately if an update is available - and prevent you from being hacked. And not only WordPress or Joomla itself. But also the plugins, extensions, and themes, because they also have their own leaks.
Otherwise, it is only a matter of time, for it to be hacked.