Recent research by W3techs has revealed what powers the top 10 million websites in the world. Most of them (50%ish) use no CMS at all (a CMS is a back-end admin panel you can use to manage a website). 30%ish are powered by Wordpress. While Wordpress has been the most popular CMS for a very long time now, this is the first time that this data has ticked over to 30% usage.
The next on the list is Joomla (although this is some way behind Wordpress) and then Drupal and Magento. Somewhat surprisingly (given the level of advertising), Squarespace trails behind all of these with less than 1% usage.
The ubiquity of Wordpress isn't surprising. At its most basic, it is a very simple to use blogging tool. A vast community has developed around it that extends this in various ways. Some of these extensions work very well. Some less so. For this reason, we tend to only advise Wordpress for smaller projects, and often recommend Joomla for more serious undertakings, as it can do more out-of-the-box.
It is surprising that Squarespace has not grabbed more of Wordpress's market share yet. It is at least as simple as Wordpress to use, and is even more "idiot-proof" as it literally doesn't allow you to do anything that could completely break a website. It may be the ongoing subscription that is putting people off taking this option (although this isn't a lot more than you'd pay to host a Wordpress website anyway). Maybe it's just people default to Wordpress because it's the only thing they've heard of.
Of course, there is a big downside to using the most popular CMS (whatever it may be). In much the same way as hackers target Windows over other operating systems as this is the biggest target (although the tide is slowly shifting here as Apple devices become more popular), Wordpress also presents itself as the obvious target for people trying to compromise websites. This is compounded by the fact that, as Wordpress can do so little out-of-the-box, people tend to install many plugins to get it to do what they need for the project in question. Every one of these plugins presents another opportunity to an attacker to get into your website. While ensuring all updates are applied mitigates this risk, if a plugin is abandoned, it will quickly become a liability from a security perspective. This is also true of Joomla and Drupal, but given limited resources, attackers tend to concentrate on the most popular platform.