I'm a few days late to this topic but I'll go ahead and promote my favorite system...
Expression Engine. I don't think you can find a better system to be honest. It's a commercial product but is worth every single penny in my opinion.
Did you recently get your EE site hacked and defaced several times?
It's no good if the CMS system has exploits, hacks and they just write blanket statement that Expression Engine has no security flaws.
Case point #1.
How many custom themes are available for Expression Engine vs. XenForo? At what cost and price are they? Why are there so few vendors vs. so many in XenForo? Did you see that many of them discontinued support when those theme sites got hacked?
Case point #2.
Since many of these themes, plug-ins and code-snipplets use older EE engine. What happened? Were the authors unable to upgrade them? Why not? Why do they sell older things that have security vulnerabilities in them? Why is it that XenForo looks at security more seriously than ExpressionEngine developers?
Case point #3.
How many useful custom plugins are there for EE vs. XenForo?
For less than a thousand, I can get almost all the stuff I need for spanking Blog, Wiki and Forum engine all in one.
How much would it cost if your site got defaced, your MySQL data hacked and server compromised?
Who is responsible? If nobody is, it's time to move on and remove Expression Engine from your servers.
Case point #4.
Did anyone see any ExpressionEngine forums lately other than the vendor's?
Perhaps they were defaced regularly and nobody could make a decent forum (with skins, themes, plug-ins) and decent spam-filter that actually worked for ExpressionEngine. Either it was too expensive (EE + Portal + Forum + Wiki + Skins + Wiki Skin + Forum Skin) vs. XenForo + XenCarta + XenPorta + Skin + Custom coding).
Case point #5.
Did anyone use their Expression Engine sites from mobile and find that due to Mobile DNS, you cannot login?
Case point #6.
Who is accountable for security exploits if the ExpressionEngine vendor updates their works and those 3rd party vendors refuse to update their plug-ins?
Case point #7.
No security vulnerabilities eh?
http://www.osvdb.org/
IDDisc DateTitle
84453 2012-07-19 CodeIgniter system/core/Security.php xss_clean() Function XSS Protection Bypass
77415 2011-11-28 EllisLab Multiple Product xss_clean() Function XSS
77412 011-10-17 EllisLab ExpressionEngine Unspecified XSS
61995 2007-12-01 CodeIgniter user_agent Global XSS Filter Bypass
52845 2009-01-28 ExpressionEngine system/index.php avatar Parameter XSS
41585 2008-01-03 ExpressionEngine index.php URL Parameter XSS
43419 2008-01-03 ExpressionEngine index.php URL Parameter CLRF
40409 2007-10-08 Perl Regular Expression Engine (regcomp.c) Polymorphic opcode Support UTF Regexp Handling Remote Overflow
22724 2006-01-24 ExpressionEngine index.php $_SERVER['HTTP_REFERER'] XSS