That's complete nonsense.
Quick setup and designs and loading times.
In WordPress, you have the choice of creating a custom design in your code editor or using the integrated block editor. The block editor is still evolving and can't do everything yet, but that's changing rapidly. Additionally, there is always the CSS editor. If someone wants more control in WYSIWYG mode, they can work in more professional editors, such as the Divi Site Builder.
Moreover, the ecosystem is huge. Bigger than with Hugo. If you just need a quick website for a craftsman business, it can be done in half a day, and it looks good.
The loading speed is only slower compared to a static website because WordPress is completely dynamic. But anyone who understands their craft reasonably well can achieve good loading times even with a website that has more than 14,000 articles from 900 authors, WooCommerce, paywalls, etc., according to every measurement tool (example: https://islamische-zeitung.de/ ).
No third-party connections.
This account has claimed that before, but WordPress does not make requests to third parties. The above-mentioned, well-loaded website does not have a single third-party request. Of course, this has to do with the choice of plugins. If you choose bad themes or plugins, it can happen that Google is fully embedded. And even if it is, there are very simple ways to get rid of such requests.
https://m.primal.net/KRll.png
Updates
This is the first time I've heard that security updates are something bad. WordPress is, of course, widely used and therefore a honeypot. But the update policy is so secure that I have set all my WordPress sites to "automatic updates" (the operator doesn't notice anything) and my sites have not broken even once in several years. So that's just another myth.
WordPress has no bloat unless you make it that way. It's not for nothing that it is the most widely used CMS and can do almost anything, which cannot be said of Hugo.
nostr:note1xp66qvlc6cp85fp5r6rmq32evnh33s08cnpsvuj98zlv7jgtkjlqaqkack