Decades ago I used to build websites, not many, but all of them on just plain HTML, no Javascript, no PHP. That was part of my everyday job back then.
Then I became an FM radio operator and forgot about it, didn’t come back to any kind of website coding.
I know Wordpress and others are targeted everyday, but my question is, how/where does HTML code stand after all this time? Is it safer than Wordpress, Drupal or any other like that?
"Pure" HTML can't be tampered with.
The issue of exposure comes from the "hiccups" encountered when browser are required to perform "embedded operations". That class of operations includes
So, if everything is a URL to a static page, your site is "foolproof".
Otherwise, you need a security "wrapper layer" to filter out the bad stuff that might be "injected" into those JavaScript/FORMs transactions.
I don't have direct experience wth implementing such security myself, but I believe the best "architecture" would be to have a serparate wrapper for each of
Is HTML safe these days?
Regarding web page content.
AFAIK HTML is just (the only) means of representing web page content. Given that, nowadays it is as safe as decades ago. Surely, HTML has been evolved since then. Now it allows to attach to a page some executable javascript code which can perform malicious actions. Well, HTML is like a hammer which can be used as a tool and as a weapon.
Regarding web servers and sites.
A whole lot of vulnerabilities is inherent to web server software and web applications and not to a web page content itself. Wordpress, Drupal, etc. are server-side applications and are by definition less safe than static web page in plain HTML without javascript, php, etc. code.
Finally, about safety. One has to clearly state which kind of it is being considered. Surely, a set of possible threats to fend off is tightly coupled with desired server OS, web-server, pages' content and web-site functions in general.
HTML is only descriptive and therefor as such not hackable.
Problems start when webpages use executable code.
PHP is a potential vulnerability for the server (because it runs serverside).
OTOH Javascript is a potential vulnerability for the client (because it is code running clientside, often using 3rd party "libraries" from other sites that are vulnerable to code injection because of dodgy security.... so what could possibly go wrong? 
Then you are just as safe as you always have been. 
The danger is not in static pages but in executable code.
Yes, it is.
Just throwing my little tidbit here: When the web became public in or around 1993 (I worked for a company that was a DARPA partner) I created a web site that at the time became a Google "page one" hit. I joke that it's only because there were only two dozen web sites in existence at the time! . Over time, HTML has grown from version 1.0 to HTML5.
While so much has been added to make web sites interactive, and business-friendly, those are add-ons (javascript, php, perl, python, etc.). The current HTML Living Standard can be found here at HTML Standard.
But in a one sentence descrpiption, HTML is the markup language sent by a server for rendering by a user agent (browser). Since there are so many browsers these days, they all must be able to understand and render pages in a like manner, or they will quickly fall out of use (remember Internet Explorer?).
So, it's a markup language, which simply means it simply tells the browser how to display web content.
Claudio, you weren't clear about
you were concerned about.
Thank you all guys for your replies.
Nothing specific really, it was more like curiosity for the current state of things.
After all, even decades later, the basics are still the same:
<!DOCTYPE html>
<html lang="en">
<head>
<title>Whatever</title>
</head>
<body>
Everything else goes here
</body>
</html>