Oh please. Calling it a CMS is like calling a go-kart a car. Both do the same job but one is a shabbily built, usable but neither efficient or elegant. Or it's like comparing a basic Nokia handset to an iPhone because they can both make calls when you want more than just calling functionality.
Check out the custom template feature (90% like SSI.php)
It's nothing like SSI.php except vaguely conceptually.
it can be used in websites where you need to handle a lot of pages and people contribution..
Not without significant work.
OK, I'm going to reiterate a point that I think has been forgotten.
I'm not bashing WP based on what I've seen. I USE WP CURRENTLY ON TWO SITES. I know exactly what it's capable of. Anything beyond a basic blog, it just can't handle. You cannot even have a page that's visible to signed in members only without *custom coding*, and not trivial custom coding, to boot. That alone rules it out of being a good CMS.
I shouldn't care about security
So when users get hacked, I can send them your way, can I? Because you know if a Wedge install gets hacked, they feel it's our fault first and foremost and never theirs.
saying that if they're under a shared hosting and they use the web interface to upload & install stuff, they are at risk..
Most users do not understand what shared hosting means. And they won't listen to that warning, they'll upload and install stuff regardless - but it'll be our fault when the shit hits the fan because "[Wedge] should have prevented there being a problem" and anything else is making excuses.
There's no best answer, only a selection of varyingly-bad answers, and right now I'm just sensing that not having an upload feature (like, I'll note, XenForo and quite probably vBulletin, though I haven't used it) is actually the lesser evil.