Stuff like this is why I usually set my smallest clients up with a static html generator. (At least if they don't want comments, and then we consider Disqus before wordpress.)
It is really hard to have vulerabilities with static html. Similarly, hosting these costs nothing. Usually in the ballpark of $3/year, the DNS alone is the dominate cost. And if they do get a sudden inrush of traffic, static hosts need to see a thousand times more load than stock wordpress before they fall down.
Come to think of it, I've never had a client that was the correct size for Wordpress. They were either way too small or way too large.
Clients left to their own devices can eventually destroy anything.
I had a client who wanted a static site, but at the last minute decided they needed a "news" sidebar on every page that they could update. This was before any of the off the shelf solutions existed (to mixing static and dynamic content), so I wrote some javascript (before jquery made ajax easy) that grabbed the content from a flat file.
Long story short, a few years later, they had someone on staff who knew some html, and they basically turned that tiny sidebar from a div displaying 2 or 3 paragraphs of text into an entire website--complete with oversized videos, rotating image headers, and dozens of links.
It is really hard to have vulerabilities with static html. Similarly, hosting these costs nothing. Usually in the ballpark of $3/year, the DNS alone is the dominate cost. And if they do get a sudden inrush of traffic, static hosts need to see a thousand times more load than stock wordpress before they fall down.
Come to think of it, I've never had a client that was the correct size for Wordpress. They were either way too small or way too large.