I could imagine coinbase have critical cookies containing user sessions attached to coinbase.com.
If they have a wordpress blog at blog.coinbase.com, then any xss attack in wordpress can steal customer accounts.
Sure, it's a fixable problem (by moving high security cookies into login.coinbase.com or something similar), but that's a big migration, and probably nowhere near the top of the engineering priority list.
So instead they point the domain at Medium and any XSS attack on Medium can steal their customer accounts.
I highly doubt either WordPress or Medium are susceptible to an XSS attack, but if I had to bet on one being safer I would bet on the open source software already used to power thousands of high profile websites.
If they have a wordpress blog at blog.coinbase.com, then any xss attack in wordpress can steal customer accounts.
Sure, it's a fixable problem (by moving high security cookies into login.coinbase.com or something similar), but that's a big migration, and probably nowhere near the top of the engineering priority list.