I have a number of smaller clients on Drupal. Since Drupal gets updated more frequently than Wordpress, and since (for 7 anyway; maybe 8 will be different) someone with a certain skill level with Drupal and FTP has to still do core updates, it is an extra running cost that Wordpress, for all intents and purposes, does not have (all updates can be done via the GUI and by the site owner).
My question is how do others in the community explain this issue to the client/site owner. I have clients who are not that familiar with the details of how websites work, and don't always follow technical lingo. I obviously have to charge for this service, so I am constantly working on my explanation / justification.
I always explain that it is not just a matter of accessing files on the admin pages, or even files on the server. A hacker who gains access could conceivably deface the site, or even insert a malicious script which can affect anonymous visitors.
I am rereading greggles book on Cracking Drupal just to get back up to speed and remind myself on certain factors, but was wondering how others in the community effectively explain this issue.
Thanks in advance for any insights provided!