I’ll just mention that Webmin (where the most serious security concerns would be, since everything else is only going to have user-level permissions) has existed roughly as long as cPanel, and has a lot more users/installations (~2 million last time I took the time to add up all of the various Webmin download sources a couple years back, vs. a few hundred thousand for cPanel, think?). I believe our security record is as strong as anything out there, which is to say we’ve had a few problems over the decades of Webmin’s existence (and 15 years of Virtualmin), sometimes serious ones, but so has cPanel, and by and large I think our security record is very competitive with cPanel and better than most of the others.
The cPanel folks are good at what they do and I think they take security seriously (we’ve met most of their developers at Perl conferences), but, we’ve been Open Source and actively maintained for the entire life of the project. Seems like that ought to be worth some security/stability points that cPanel doesn’t get due to being proprietary. I know when I’m making decisions about software that has security or long-term reliability requirements, I choose the more open option whenever possible.
Most security problems come from not staying on top of updates, not using strong passwords, and running services or apps that aren’t being maintained. There’s little we can do about those things, though we do push updates really hard in the dashboard and we support 2FA and password policy settings and strong password hints, as well.