Most agency WordPress builds rely on a long plugin chain. Each plugin adds maintenance responsibility and vulnerability risk.
Outdated plugin dependencies are one of the most common compromise vectors in WordPress incidents.
Custom framework builds are not risk-free, but they remove plugin attack surface and make security ownership explicit.