I think the answer is somewhere in the middle.
You need to advocate for your client, and give them the information that they need to make good decisions. However, you are also expert in the field and they are not, so you need to be wise about what recommendations you give them and why.
It would be very appropriate to inform your client that wordpress sites need a bit of maintenance and to be updated from time to time. You should walk them through what this usually means, the perils of over customization vs. ease update, etc.
But, you also need to be understanding of the client perspective. Wordpress is incredibly popular for a reason, which is that it's free/easy and works well. Like most things that are very popular, it's the target of many exploits but whether that is a real business risk is not up to you - it's up to them. If your client is handling sensitive data, or has valuable transactions going through their server then maybe wordpress isn't a secure enough choice. But if your client would like the value/price/ease/popularity/familiarly of wordpress even with some of the shortcomings, that is fine, too.
I host my corporate site on wordpress and guess what, I got hacked last year and it was down for 3 days before I noticed. A little embarrassing, but only a little and I'm still on wordpress. It wasn't that big a deal, and my business is still profitable and humming along. I am not willing to invest in a 100% secure website, it's not worth it to me or for x million others.
It's also true that the server hardness makes a difference, and really all the popular CMS's are vulnerable to some degree.