I don't know the statistics for rates of hacking, Drupal vs. WordPress, but it's true of ANY system that not keeping it updated is a recipe for security vulnerabilities.

The only difference is that keeping Drupal up to date is more difficult than keeping WordPress up to date; the former requires more specific knowledge.