WordPress recently updated to version 3.6.1 fixing a number of security vulnerabilities. I have no direct visibility into the specific number of how many of the 71 million WordPress deployments have updated to the latest version, but I know for a fact that not all of them have.
In fact, there are many vulnerable, unpatched WordPress deployments. The technique known as “Google hacking'” can easily identify vulnerable sites. With Google hacking, a search query is entered into a search engine that will search code (for example, https://search.nerdydata.com/). To Google hack a WordPress site, an attacker or security researcher just needs to look for the WordPress site identifier that discloses what version of the software a site is running, in order to find older, unpatched installations.