I agree, for example: When a WordPress vulnerability is found, millions of sites are at risk. The large installation base is enough incentive for people to relentlessly scrutinize WordPress for vulnerabilities.
Your home-made CMS isn't going to attract attackers because the spoils are limited to one site, and the code isn't readily available.
That doesn't mean your CMS is more secure; it probably isn't. But it's going to take a focused effort to attack, and an exploit becomes less likely.
Even making minor changes to the Wordpress URLs from the defaults is enough to avoid getting hit by most (if not all) of the automated exploit I see on a day to day basis.
Your home-made CMS isn't going to attract attackers because the spoils are limited to one site, and the code isn't readily available.
That doesn't mean your CMS is more secure; it probably isn't. But it's going to take a focused effort to attack, and an exploit becomes less likely.