Code-wise XenForo is very secure. It follows lots of best practices like parameterized queries, sanitized inputs, default escaping of outputs, CSRF tokens, bcrypted passwords, etc.
XenForo has a good security record with few exploits. In fact, exploits are often not part of XenForo itself but rather part of third party code which XenForo uses (eg SWFupload). And exploits are always patched very quickly.
I have a lot of experience dealing with hacked forums and I rarely see a case involving XenForo. Of the cases I have seen, the attack vector has always been something outside of XenForo like a hacked server or some other script on the site.
I'll echo what @Jake Bunce wrote. I had an opportunity to talk to Kier and Mike when they were in Los Angeles briefly, and they shared with me what their decisions on how they did things, and their approaches.
Being in the front lines day in and day out for security, XenForo is probably one of the very few applications I am willing to run without a WAF.