Known and documented vulnerabilities can come from reverse-engineering security patches, or from reading CVE bulletins, or from reading security blogs and newsletters. Information about vulnerabilities gets disseminated pretty quickly.
A lot of folks are scared of zero-day vulnerabilities (vulnerabilities that are discovered by the bad guys and exploited before a patch exists), but it is far, far more common for bad guys to exploit well-known vulnerabilities after fixes are released. They rely on human nature--few people take security seriously, and a dismaying number of people can't be arsed to update their software.
I would not recommend using WordPress if your goal is good security. I've done computer security for years, and I keep on top of my WordPress sites, and yet I've still been hacked twice in the last three years. If you do use WordPress, there are some things I strongly, strongly recommend in order to make it more secure:
1. Install a plugin like Wordfence. This will add a firewall to the WordPress site, block brute-force hacking attempts, notify you of security problems, scan the WordPress site for malicious scripts and tampering, and send you emails when people attempt to hack the site or updates are available.
2. Use the Move Login plugin to change the Wordpress login page to another place, like mywebsite.com/my-secret_login. A lot of Wordpress attacks are simple brute-force attacks; by moving the login page, you make hackers knock at a door that doesn't exist.
3. Use Infinite WP to manage your sites if you have more than one. Infinite WP is a free package that keeps watch over all your Wordpress sites and lets you update them all at once with a single button click. I don't know how I survived without it.
Also, choose a reputable host that cares about security (meaning, not Dreamhost).
