It is recommended to take a closer look at the whole surrounding environment, not only the Open Source CMS itself. Many get focused on PHP based Open Source CMSes and limits their choices to this range of systems. It worth to take a look at Java and ASP based systems as well, due to security concerns of your website.
To simply make conclusions based on numbers of discovered security flaws can be equivocated.

• For jumbo-core Open Source CMSes take into account all security announcements
• For micro-core Open Source CMSes take into account all core security announcements plus security announcements regarding the modules that you are planing to use.
• If there is no security announcements regarding core or your desired modules, investigate the reasons. Maybe nobody is doing security announcements at all.

Last but not least, keep in mind that modules have often a weaker or less predictable design than core functionalities. Look for extension classifications or commercial modules. Open Source CMSes still have much to learn from Open Source CRMs like SugarCRM when it comes to modules and extensions.