I have tinkered around with Magento a bit on the back end. It is what I would call a hot mess. The code base is huge. I did a GIT pull of their most recent 2.4. The zipped file is 75MB. To put this in perspective, Zen Cart is 10MB. The code is also quite complex and not all that well documented. Unlike most PHP applications where your needs are met with a LAMP stack, you need Composer, ElasticSearch and RabbitMQ. It also recommends installing phpMyAdmin which is a task that very few people complete securely.
A recent attack has been hitting the version 1.x stores to steal, well, everything but most importantly, credit card numbers and tacking on a bit to each transaction processed by the store.
Here’s the thing, these stores are still on this outdated version of the software because upgrading Magento is a mammoth undertaking. The more customized it is, the more difficult and expensive the upgrade so a lot of stores are effectively stuck unless they change their platform, ditch a lot of their custom development, or make some other radical move in order to upgrade since Adobe is no longer supporting 1.x.