People, particularly about internet security are often lazy.
An example of which would be the Ashley Madison hack. How many users on there will have used the same password for their cheater account as what they use to get in to their email account that is registered with the same site? Makes you think...
I thought vbulletin was one of the most secure and up to date?
A couple forums I use have just moved from the likes of simple machines to vbulletin. Security being one of the factors in choosing to move.