Bootstrap is just one example Mike. Yes it can be overcome with a little adaption here and there but I misunderstood you and thought you were just deploying the stock WebAssist CMS out of the box. Excuse me.
Both sets of extensions use publicly acknowledged directory structures (we change these names and locations) and when investigated by a malicious user opens up all types of possible vulnerabilities. Both sets of code have features that can and are exploited in the wild. The real job is protecting against these threats. I wouldn't say either is entirely secure. There are several files which I have locked down and removed lines of exploitable code from in the past. We pass all our code along for evaluation by various penetration testers and compliance regulators. It is truly amazing what comes back to us marked as vulnerable. You say above you don't like it when DMX updates your files such as JQUERY etc? Am I to believe you state the secure nature of WebAssist above yet choose to not maintain your files to the latest incarnations? That lowers the security and integrity of all that relies upon said files and leaves a gaping hole, in some circumstances, for access to old bugs and vulnerabilities that are easily exploited these days with minimum effort.