An important metric is the severity of vulnerability, as well as how widely they are exploited in the wild. We have only had reports of a few sites ever being hacked and these were all sites that hadn't installed an emergency security fix within 6 months of its release. Due to Plone's advanced sandboxing and security features most vulnerabilities only affect the site itself. Most vulnerabilities found in Plone do not expose sensitive information or allow access to the server. We have never received a report of a serious vulnerability in Plone being exploited in the wild.
Unfortunately, there are no trustworthy statistics on vulnerability numbers available. This is mostly due to the fact that security databases are often outdated or incomplete. That said, Plone consistently has fewer vulnerabilities reported on databases than other content management systems. As our security team diligently reports any vulnerabilities found and works with vendors such as Red Hat to ensure our reports are complete and accurate this is strong evidence for Plone's security