A popular NZ blog I follow got infected by something like the worm mention in this wordpress.org post. They were running a very old version of wordpress, 2.5.X or some such. When I spoke to one of them, they said they knew they were running an old version, but their answer was move to drupal. It just had not happened yet.  While their move might be for other reasons than security, leaving a public piece of software unmaintained while waiting for a replacement is a bad idea.
Upgrading wordpress is now pretty seamless. Please follow the advice in the wordpress post.