I work at a university as a professor, and have created a custom CMS that can help other profs in how they teach their classes. My school is considering integrating the CMS into their "web services". After an initial conversation with someone from web services, she seemed to think that it would make things a lot easier if my system were integrated with Drupal to make it:

1) Easily customizable
2) So that we wouldn't have to worry about security issues
3) Extensible

As someone who has never used an out-of-the-box CMS, checking out Drupal's site, it seems that:

1) is correct since a user can apply new "themes" changing the the way the site looks very easily. Am I understanding this correctly?
2) I can't see the benefit of Drupal. If I'm already checking user input, guarding against SQL injection, password protecting pages (I'm using the most up-to-date version of the Zend Framework), then what do I gain in terms of security by using Drupal?
3) If my CMS were out-of-the-box, I could see this as being true; however, since it's a custom application, how could one extend it without having to change lots of my code?

Thoughts on any of the 3 points above would be appreciated.