Back in August 2013, I wrote the original version of this article on my Drupal Gardens blog.
Drupal.org provides a number of pre-packaged distributions (e.g., Drupal Commons, DKAN, etc.) that allow users get a fully-featured Drupal installation up and running in no time, but maintaining an installed distribution can be tricky. You may need to juggle distribution updates with contrib module updates, core updates, and your own customizations. If you aren't careful, it can be come a maintenance nightmare!
As Dries has stated many times, Drupal is the future of the web, and distributions are critical to that future.
This post is part of the "All you need to know to become a great Drupal developer" blog series.
Security issues are created in custom code when developers cut corners during development or don't make proper use of the APIs, among other reasons.