The real crux of Drupal versus Joomla security, says Hill, is the severity of the exploit. "Drupal has a low number of vulnerabilities compared to Joomla, and the condition to exploit Drupal, in almost all cases, requires permissions typically granted to trusted users. Joomla, on the other hand, is more vulnerable not only because of the sheer number of exploits, but the severity, and the ability to trigger the exploit as an anonymous (unauthenticated) user."
Short answer: Don't make security the deciding factor in choosing between these two Open-Source CMSs. But don't neglect security as you design, code, deploy, administer and manage your Joomla or Drupal site, any more than you would for any web site.