Wp wp wp...
Noticed WP on full disclosure a few days back now, slow to the table el'reg?
I had to deploy WP for a client, and someone in HR absolutely insisted it was WP despite not wanting comments etc, so I set it up that the "WP" site in production was a flat static copy of the dynamic one on a local private to them hosting server, and a push mechanism to push new releases when things changed. They still got their clicky familiar cms, I still got to sleep.
Experience suggests this has been a good idea... 35000+ hits to a non existant wp-login.php in the past few months, loads of bots trying xmlrpc.php, wp-json etc, the full gambit of exploitable vectors in fact. Yes it could be patched up to the eyeballs constantly but only one attack has to get through...