I'm working with a large (very large) nonprofit that wants to migrate to a CMS from their very maintenance intensive present site. Last year, they spoke to an expert that suggested they stay away from Joomla and other open source CMS because of security concerns (hacking and the like).

I have a few questions:
1. Is that a valid concern? (My gut reaction is yes)
2. Would a paid solution be more secure or would a custom built solution be really the optimum solution?
3. If paid solution, what recommendations?

Thanks for your responses in advance, I look forward to hearing the opinions on this board.