WordPress is big and popular. That makes it interesting for developers to make extensions (plugins) and so many plugins are available for WordPress. That's good, because you also need it.
If you would install a WordPress website without extras, you can blog, and nothing else. For many of the functionalities you need on a "normal" website, you need to install a plugin in WordPress.
For Joomla, you probably guessed, fewer extensions are available (but still a sloppy eight thousand, ranging from a simple slideshow to a complete webshop).
On the other hand, you don't need an extension as quickly with Joomla, because functions that are missing in WordPress are already built into Joomla as standard. And if you can do it with the core, you don't have to install an extension.
Install plugins / extensions
So if you want extra functionality on your website, you will soon be using a plugin in WordPress. The fact that there are many plugins available has its advantages: a lot of choice and many extra functions that you can add. It also has disadvantages, because which one should you choose? Fortunately, the plugins in WordPress you can immediately see whether they are suitable for your WordPress version, how they are rated and when they were last updated. Of course, that does not give any guarantees for the future.
If you need a function that is not standard in Joomla, you will find extensions in the JED, the Joomla Extensions Directory. Again, you can see for all extensions for which Joomla version you can use them, how they are rated and when the last update was released. And also here applies: no guarantees for the future. What you do know for sure: all extensions in the JED are in principle compatible with the current main version of Joomla (3).
With both systems you can install extensions / plugins from the backend, upload via a zip package or install via a special url.
Whatever CMS you use, extensions and plugins pose a risk to your website.
Of course you choose an extension from a reliable developer or a plugin that you know is widely used. But that does not automatically mean that it is or remains safe. The developer can stop, which can result in your extension remaining on your site for years ... without updates or security patches. The more extensions there are on your site, the greater the risk.
WordPress has a double disadvantage: it requires more plugins than Joomla, and it is also very popular, so a popular target for hackers.