You’re right in part: it’s not that I don’t like the decision, it’s that I think there are some misconceptions about WP out there which are quite often about how it has been done rather than the actual thing itself. WP isn’t per-se insecure, it’s just that it’s so easy to throw together a new site that thousands (probably hundreds of thousands) of sites have been made without any thought about updates, hardening, etc — and yes, these do often suffer from awfulness — and yes, because it’s such a popular platform it gets more hack-attempts than anything else. It’s sort of ironic that the ease of use of WP as a platform is also a bit of an Achilles Heel for it..
I don’t have a team as part of thirty8 — it’s me and my wife, and we manage around 60 WordPress sites, with daily plugin updates, nightly backups, etc. It is totally doable, but only when it is done right — good hosting like WPEngine, proper plans for rollbacks, tools to help with automatic updates, Git deployments, etc.
I should have said — the rest of the post was superb, and I know that’s where the focus should be. The CMS discussion is ultimately a futile wormhole down which we’ve all been travelling since the internet began, so I’m sorry for going there.
Ultimately, and I really believe this, what works for you and your team is what matters. The site looks absolutely stunning, and some of the content decisions you’ve clearly made seem deeply sensible. So: yay :-)