Permissions, Access & Security
I know that core team members and core contributors are actively involved in looking for and fixing any potential security issues.
Security is taken very seriously and concrete5's HackerOne account is an example of this.
"Created by security leaders from Facebook, Microsoft and Google, HackerOne is the first vulnerability management and bug bounty platform. We empower companies to protect consumer data, trust and loyalty by working with the global research community to surface your most relevant security issues."
Regarding WordPress hacks, I believe many of those have been caused by plugins. This too is something that concrete5 addresses. For a concrete5 add-on to be added to the marketplace, it must pass automated tests for basic issues and is inspected by a person (generally multiple people). This does not mean add-ons are perfect, but I do think it helps reduce risk.