Discovery of vulnerabilities may be influenced by market share.
Based on a market share indeed one may expect more discoveries in WP.
But the security comes with the reaction to the discoveries.
The rate of responses to vulnerabilities with patches and/or new releases is much higher with J!
That shows responsibility. That is why I trust J! over anything else.
I believe that a hacker would prefer to be as efficient as he can.
Most hackers are not efficient. They are just lazy. If you would check your access logs, you would see a huge amount of automated access attempts with reference to Wordpress. They are not looking for a new vulnerability, they are trying to use a KNOWN vulnerability... one that wasn't patched yet. They are even too lazy to first check if your site actually IS a WP site....
A highly popular CMS like WP with just a little effort in updating therefore becomes vulnerable.
And I like the https://vel.joomla.org
also know vulnerabilities in the extensions created by third parties are being published. This warns me as user and admin, but also is very valuable information for the developers to fix their extensions. Awesome service by the VEL team! Thanks team!