Here's a short and purely subjective list of bad coding paradigms that are used in Wordpress for years. Some of them are critical security issues that WP developers don't seem to care about:

• all files are stored in public directory
• access to php files in main dir and template dirs is not forbidden by default in .htaccess
• no official template engine support
• templates are written in php mixed up with html
• autoupdate installs new themes made by WP developers by default
• wp-login lacks any protection from bruteforce attacks
• no official SQLite database support
• classic editor is only available as plugin now

Fortunatelly, some of those problems can be avoided. I don't imagine using Wordpress without clean MVC template structure, Twig, SQLite (for smaller pages), denying access to everything except assets in template dir and disabling a lot of default «features» that can cause you a lot of trouble.

If you know more bad coding paradigms examples in Wordpress, feel free to share it in the comments section.