WordPress, PHP, is it secure??

WordPress is reasonably secure *if* you keep it up to date. The problem is that most people don’t do that. On that page you linked to, it mentions that he was running WordPress version 1.2 as of last December. That’s a bit out of date.

It’s like any software package in that respect. When security problems are found and fixed, you have to apply those fixes to be secure.

Is there a list of fixes and patches on this site?

There’s no patch system, it’s just a matter of downloading the latest version and upgrading.

There’s no such thing as “secure” for any piece of software.

I realize that, but are there any major vulnerabilities that should be brought to the point before implementing the blog?

All issues were addressed with the 2.0.3 release.
Mainly they involved if you let people register on your site. They were fixed.
I suppose you could look in the previous releases to see what was upgraded.

Does your friends firm have experience hosting a site? Do they co-locate or use shared hosting? Do they have an experienced IT staff?

These are some of the key questions. ANY system they use will be compromised under the right conditions so the question becomes how will it be maintained and updated. And frankly, the exact same issues apply to any web site that would apply to a WordPress based blog.

The article you linked is a wonderful example of how not to run a site. WP 1.2 is relatively ancient, and it makes me wonder how old the version of PHP on his server was (he self-maintained his own server), how well it was configured, whether ANY attention was paid to ‘hardening’, etc., etc.

Short answer: If it’s hosted with a reputable host (they will make sure the Apache/PHP is pretty secure because they have personnel doing it day-in and day-out) and installed/updated by someone familiar with site security issues it is very secure.