Nobody wants their website to be hacked, so it is important that you keep your site safe and up to date. WordPress and Joomla are both basically safe. As soon as a security risk or vulnerability is discovered, an update will be released to resolve the issue. That happens about as often for WordPress as it does for Joomla. With Joomla you have to perform those updates yourself (by clicking on a button), with WordPress you can have this done automatically.
The real danger: extensions
But the security of your site is not only determined by the CMS: if a site is hacked, the cause is all too often an outdated plugin or extension. Therefore, if the developer does not release updates for his extension (s) in time, there may also be risks. And the more extensions or plugins you have installed, the more vulnerable your site can be because you have no influence on whether those extensions are safe and remain when a risk is discovered.
A WordPress website generally has more extensions than a Joomla website, because WordPress has fewer built-in features. So there you will have to use plugins faster to create the functionality you need - and thus be more at risk.
Since WordPress is the largest CMS, it is popular with hackers. If you look at the logs, you will see that there are many login attempts and often attempts to enter the site through a vulnerability in a WordPress plugin (regardless of whether it is installed on the site).
Of course they know that with WordPress itself. That is why there is a handy tool with which you can check whether plugins that you do not use are installed: the Site Diagnosis. It is built into WordPress as standard.
SSL (green lock)
Do you have an SSL certificate on your website? Then you can indicate with Joomla with one tick that the site should always be displayed over https. WordPress does not have that possibility built in, for that you have to adjust scripts.
For two-step verification (for example with a Yubi-key or Google Authenticator app) you need to install a plugin in WordPress. Joomla comes standard with the ability to enable two-step verification. You don't need any extensions for that, which is built into the core.
Which system is safer?
In itself, Joomla is safer. You don't need to install as many extras to get your site working, and Joomla comes with the SSL option and two-step verification by default. At WordPress you depend on plugins for that.
Both systems act quickly and appropriately when a security risk or vulnerability is discovered in the CMS.
Do you want more security options than the core offers? Firewall, monitoring and backup extensions are available for both (sometimes even from the same developers).