I host 1000s of WordPress site projects.

WordPress security is rock solid, if you...

1) Only use repository themes + plugins. If you use random paid themes + plugins, you'll likely get hacked.

2) You must install an auto update plugin, which installs all core + theme + plugin updates, as they occur.

Note: Hackable themes/plugins + people reusing weak passwords across many sites is the primary ways hackers get into sites... through WordPress...

3) That said, for my 5% of all site hacks occur through WordPress 95% of site hacks occur because the hosting company is 100% incompetent.

If you're truly concerned about security, the most effective part of your security is the one person you pay (normally a king's ransom) to keep all your OS code updated, which also means you'll be running on dedicated servers... rather than normal shared hosting.

The quality of the person you hire to setup + maintain your security, will determine your security.

Scalability: This also depends on the person you hire for this. Normally one person will take care of both.

When I deliver a WordPress site to a client, normal site speeds run at 1,000,000+ requests/minute throughput... which means...

Anyone who tells you WordPress is slow... simply doesn't have the experience to tune WordPress to run fast.

WordPress is secure + scales, directly related to the intelligence of your Server Savant... you have doing all your server work on a regular basis.