Drupal is in the top 3 used CMSes so it is definitely a target for hackers especially given the many high profile sites such as Whitehouse.org, Boston.gov and weather.com. Like WordPress, it is also open-source and has a healthy community of many eyes looking for security (and other) bugs to fix before they can be used my malicious actors. Hence as with most software, it is imperative to apply updates especially security updates as promptly as possible - preferably within 24 hours of release.
One of the reason for the importance of promptly apply the patch is that the security patch basically gives malicious actors a map of how to target the patched flaw. Drupal makes applying patches promptly somewhat easier than most other CMSes, through "Security Wednesday". The 3rd Wednesday of every month is a core security release window and if there are any bugs discovered, a patch will be released between 12 and 5pm Eastern Standard Time. Many months there aren't any patches, but this provides system administrators a specific timeslot to be ready if there are any. For contrib modules, every Wednesday is a potential release day for security fixes.
Drupal core obviously gets the most eyes on it so contrib modules are slightly more likely to have undiscovered security flaws. However that is partially mitigated by the fact that not all modules are used on all sites. However any custom code should be well analyzed before deployment to ensure you aren't decreasing security.
We at BriarMoon Design have participated in the Drupal Security process, fixing Cross-Site-Scripting (XSS) Security flaws in the Tribune module, as well as identifying issues in pre-release versions of other modules in the sandbox system. Let us keep you secure with a security review or regular maintenance! Give us a call or send us a message to get started today.