Static generators are clearly superior from a security point of view -- the webserver doesn't have to execute any code. But, assuming wordpress exists; it would be best if the code ran in the a user context that could not write anything to the filesystem; and the code was installed with another user, which could do auto-upgrade via a crontab. An exploit could certainly leave persistent data in the database, but not on the filesystem at least. It would also be great if the database had separate credentials for the user facing site (mostly read only) and the admin facing site.

On the other hand, I don't know how possible that would be to setup for inexperienced site admins on commodity hosting.

We created Strattic to allow anyone to use WordPress (and eventually other CMSs) as static site generators. It's the best of both worlds. We're in private beta but you can check it out here: https://www.strattic.com.

I agree on the security superiority. I use Wordpress because my wife can maintain and update it almost entirely herself.

I’m searching for a plug-in that generates static based on the edits in Wordpress, but haven’t found any that work cleanly.

I think that Wordpress is good for its users who will never use build processes for deployment unless automated well.