Matt Mullenweg has released Wordpress 2.0.6, an open source (GPL) blog engine based on PHP and MySQL. 2.0.6 fixes assorted security bugs, which is no great surprise since they're still trying to spackle over every security hole that pops up. WordPress has some deep architectural flaws that the developers are in serious denial about. I don't think we've seen the last major security hole in this product. This release has a really serious conflict with FeedBurner, so you may want to wait for 2.0.7. I'm not sure whether it's Wordpress's fault or FeedBurner's. I've heard both groups blamed. However given Wordpress's known disregard for HTTP, I know where'd I'd put my money if I had to bet.
I use WordPress to power The Cafes and Mokka mit Schlag. It's got a lot to recommend it including the user interface and themability. Unfortunately HTTP, XML, and security are not equal stengths. It may (or may not) be the best open source blog engine available today, but it's certainly not even close to the best one that's possible.