This announcement from the Drupal security team put them on first place on the list of security announcements from Open Source CMS vendors in 2007. Xoops shares the first place with Drupal but Xoops has no announcements regarding security issues in their core.

Drupal works with a micro-core approach in their CMS design. This makes them rely heavily on external modules to add functionalities to their CMS environment. In a responsible way, the Drupal project handle the negative aspects of a micro-core approach that we have presented in our article Introduction to Open Source CMS: Security - Micro-core approach.

You can read more about how to evaluate security in an Open Source CMS here : Open Source CMS: Security - Open Source CMS Security conclusion.