You canna win, can ye ?
Patch and users grumble, don't patch and users grumble.
Come on, people, they're doing something and doing it in a timely manner.
If you don't like patching, go back to Windows XP, you'll be fine there.
After scrambling to patch a critical vulnerability late last month, Drupal is at it again. The open source content management project has issued an unscheduled security update to augment its previous patch for Drupalgeddon2. There was also a cross-site scripting bug advisory in mid-April. Rage Running Drupal? You need to …
Joomla has a similar history of vulnerabilities. It seems Drupal is equally dangerous. So if one needs to use it, it should at least be very vigorously patched. However, external subcontractors creating content on such tools often leave it without any patching framework whatsoever. Thst's at least is what the company I work with experienced.
"What's that? You want your website patched? Oh well that falls outside of our contract agreement, but would you like to sign up to our security service? We'll patch it for you for £X a month."
Is one method a cowboy outfit I used to work for conducted its business.
Other than that, the web is awash with sites that are static but built on CMS systems that neither the builder nor the owner ever bother looking at again.
"Come for the software, stay for the ... people"?
But seriously, that argument's a bit on the silly side isn't it? That's like swearing-off Windoze because it powers the computer systems of Evil Corp.
(Full disclosure: I earn a crust as a Drupal developer and have seen some awful examples of sites built with it, but I've also seen awful Wordpress sites, awful Joomla sites, and awful home-grown sites).
/Al - beer, because Drupal has driven me to drink.
I've worked with many frameworks and various (.*) management systems in my twenty-ish years in this field, and nothing has filled me with dread like working on a Drupal system.
As far as I can see, the only people who like Drupal are the people who build sites in it, then keep getting called back as contractors because no-one can work out what the hell they've done or how to maintain it themselves. It's the only system I've met so far that has made me quit a job or refuse a job offer. And I have next to no standards. ;)
I have the exact same terror of SharePoint. That and very high psychiatrist bills.
I am less wary of Drupal because at least I can see the source and see what is going on. It may not be beatifully designed or implemented core code (8 is better than 7) but at least it is visibile. SharePoint, on the other hand, is totally opaque, almost indescribably inefficient and there are still daft bugs in there that were present in releases from 15 years ago. Expecting, let alone trusting, SharePoint to do anything like what a sane person would expect a "CMS" * to do is asking for trouble - basically just give up and do everything the "SharePoint way" regardless of how insane it is, fighting SharePoint stupid is a pointless endeavour.
* I know it's not strictly a CMS, it's often used as one though...
Patching away, again. Though each time something on some site invariably breaks. Which is why I am extremely happy we have web application firewalls that are meticulously maintained. I’s frankly amazing how many blocked requests there were the last month, checking for the latest Drupal vulnerabilities... One Drupal site is still on 7.54. The thing that broke when updating to 7.58 was the same thing that broke when updating to 7.54, but the web developer that “fixed” it didn’t document and forgot what he did.
By the way, maybe it’s just here but it seems that tickets logged by development teams for infrastructure team are invariably high priority. The other way around : well, let’s just say that I have an open ticket that will celebrate its third birthday next month...
I briefly had the misfortune of working for a Drupal shop, on the team responsible for some name-brand restaurant booking service. The Drupal developers specifically are the rudest most apathetic people I have ever worked with. They don't like people asking questions, they don't like fixing bugs, they don't like testers at all. And no matter how shit their code was, they always expected me to write tests that would pass when they committed it on the last day of every sprint.
They all thought that caching was like magic pixie dust in its ability to make crap websites run well.
And they were charging in the region of 5 or 6 hundred a day essentially to make bad website templates.
I hate Drupal.
I like Drupal, on the other hand I completely agree with your experience of the Drupal developers. They have improved a little, but that's an extremely low bar to start from. Some seem to run it like an academic project operated for their own technical amusement and self-congratulatory esoteric thoughts compared to something that is meant to be used in the real world. If they didn't have this attitude, it would be considerably more successful than it is.
Then use a static site generator like jekyll, hugo or hundreds of others
If you need dynamic content, make a JSON backend which your page interacts with via Javascript. This gets rid about of 90% of framework vulnerabilities.