Django and Drupal are two different beasts
Django is a framework to build web applications, and to get something usable you'll have to write your own code. Drupal is a true CMS, and you can start using it straight out an install if you don't need specific customizations.
That also means there's much more code in a stock install of Drupal - and thereby the attack surface is larger. No surprise here we have the usual lack of input control passed along technologies like REST were you can pass almost everything you like because the protocol itself has little checks.
With Django, a lot depends on the skills of the developers building on it - its attack surface could be smaller, but what about the code devs add? It's just less in the radar of security experts.
Biting the hand that feeds IT
