The source was the top 1,000,000 websites from Alexa, dumped on 13th of November 2014. So the data should be reasonably up-to-date.
Out of those websites, I was able to recognize 171,010 websites as three of the most popular CMS's. For this task, I created a PHP library which detects CMS's in multiple ways (which is on GitHub by the way, so you are free to contribute!).
Why did I do this? I was curious about what are the markets shares of the top CMS's. But my main reason was to look into Drupal versions, to see how many of them are kept updated and how many are still vulnerable to the Drupalgeddon bug.
CMS Market shares
Let's get this out of the way: people REALLY love Wordpress! I wasn't expecting such a response, but looks like Wordpress is truly dominating against the other CMS's.
Most popular Drupal versions
Let's dive into Drupal versions. So I managed to recognize 14,526 different Drupal websites running 52 different versions. Here are the 5 most popular versions.
So from this data we can see that the most popular versions are fairly recent versions (7.34 was the latest at the time of this crawl). I was expecting far more older versions. And also the top 3 most popular versions are safe from the Drupalgeddon bug, which is great!
Latest Drupal versions
The 7.32 version seems to have quite a bump, with a good reason though: that was the first version to fix the Drupalgeddon bug. But suprisingly many sites update to the very latest version of 7.x.
Vulnerable to Drupalgeddon
And finally, the no 1 question I wanted an answer to: just how many websites are vulnerable to the Drupalgeddon bug? (According to website version)
So around 1/3 of top Drupal websites are not protected against the Drupalgeddon bug. This issue should be solved immediately; thousands of websites are in danger.
Please note: Drupal version is not the best way of determining the vulnerability. You can patch your Drupal against Drupalgeddon bug, which will not update the version number. So some older Drupal websites could still be protected against the bug.
On a lighter note, let's get to some fun facts!
I found 2 websites running 5.x, and 7 websites running 4.x! No, seriously, 4.x.
One brave website was even running on a custom 8.129 version.
I couldn't recognize versions of 129 websites. This is mostly because they did not have their CHANGELOG.txt accessible. I could recognize them as Drupal though, usually due to headers or metatags.
What's the most popular Drupal website? According to Alexa it's taboola.com, on rank 358.
It took my VPS a week to crawl through all the websites and another 2 days to determine the correct Drupal version.