I've heard similar stories but the devil is always in the detail. Wordpress is always a target due to its popularity, open source nature, the number of sites which don't update their Wordpress framework promptly and the sheer number of poorly coded plugins used by many sites, mostly the free ones.
What security issues did he encounter?
How secure was his site prior to the security upgrade?
What kind of upgrade was required? Did he ditch Wordpress entirely?