Yes ....and no....
I used to run an OSC site, and it took me the best part of 2 years to get it "just right". OK, I'm quite slow :-) ...but one thing I did learn was that a lot of people running OSC really do not give a shit about security - especially that of their users and customers. OSC was also to blame in this respect - it's why I wrote the "register globals" mod for 2.2 so that you no longer had to run it with PHP's "register globals" option enabled, which even back then was a blindingly obvious, huge, and very well known security hole. I think my mod got used quite a bit by others - I'm not sure.
The OP is right though - in order to get a site working half-decently, you had (still have?) to install a dozen mods and patches, each of which was of unknown quality and quite often written in an insecure way. I ended up re-writing big lumps of it for myself - it's probably why it took me two years to get it working!
But back to my original point, a lot of people running OSC sites really do not give a gnat's bits for security. I lost count of the number of times I posed and read questions regarding security issues and it seemed that most people were interested in was whether the site stayed up long enough to get someone's order in; what the hell if it was full of bugs and security problems? You can probably still find loads of posts asking about storing credit card numbers on the site's server. Apart from almost certainly being against the T&Cs of the bank providing the merchant account (they generally demand demonstrably rigorous security systems to be in place before you do this sort of thing, and yes, I know this is a bit pot-kettle as far as banks are concerned, but still), this sort of thing is just bloody irresponsible. And if you pointed this out, you would get a response (if you got one at all) of "so? Who cares?".
I think this is in part why Zen Cart started up - by a bunch of OSC people who got fed up with the OSC way of doing things.
I know OSC has probably moved on a lot since I used it, but I bet the attitude and ethos has not. If I ever set up another e-commerce site, I shall be looking elsewhere.