I work at a web design/development shop. Everything we do is centered around the Joomla! CMS. I'm a bit worried-if anything goes wrong with Joomla (major security flaw revealed, Joomla folds and ceases development) we're sunk.
I'm meeting with the CEO to plan the next few steps for our company. Should I recommend that we create our own in-house CMS or am I just being paranoid about a single point of failure?
I wouldn't create an in-house CMS unless your company has plenty of time and money to burn (as tsOverflow already said in his answer - creating a CMS is a huge task).
Plus, Joomla is open source, so it's very unlikely that it will cease development anytime soon.
I'd be worried if my whole company was centered around a closed source commercial product, because if the company that makes it closes or just decides to drop the product, then I would have a problem.
Even if a big company like Microsoft won't close tomorrow - of course they can decide to drop a product anytime, especially if it's not one of their flagship products like Windows (think VB 6, FoxPro...).
But any community-driven open source project with a large user base (like Joomla) won't likely die.
Even if the whole core development team would stop working on Joomla tomorrow, there are so many people who depend on it that some of them would have formed a new core development team (or forked the project and continued with a new name) after a few days.
Things like this happen in the OSS world all the time - Joomla itself was "created" that way, too.
I think you are just being too paranoid. Creating your own CMS is not like creating a Hello World program - it will require a significant effort to create one as well as maintaining, adding new features, etc.
Your fear can also be put in the context of say, jQuery - our website is heavily reliant on jQuery - what if jQuery dies? Should we just write our own extensive js library? Likewise to any programming language. Likewise to any tool that you use. What if Microsoft fails, should we write our own Outlook to make sure our email communication will not cease to exist?
There are plenty of times when it makes sense to make your own CMS. But general web site publishing is not one of those.
On the security end of things, its six of one, half dozen of the other. Sure, a home grown CMS wont be subject to known exploits. But on the other hand, it wont be as thoroughly vetted as a major open source project like Joomla, and will more likely have bigger unknown vulnerabilities.
And since Joomla is open source, if development stops on it, you'll likely be able to keep developing with it for quite a long time afterwards.
In short, if Joomla is working for you, I wouldnt switch.
I disagree with the other answers in this thread and think you should create your own CMS for the following reason:
It will be easier to create completely custom websites and decouple the frontend and backend
Most CMSs I've used have the frontend (the public portion of the website) tightly coupled to the backend (the admin portion of the website). If you roll your own CMS and create it in such a fashion that it is simply a CRUD application, then you can build a completely custom frontend that only needs to talk to the DB. For example, you could have your backend written in PHP, but the frontend could be written in Rails and as long as they talked to the same DB, it will be a seamless experience for the end-user. You won't find yourself tweaking the Joomla! view code to reorder the display of various elements on a frontend page. Instead, you'll be tweaking code that you wrote and that is completely decoupled from the backend.
Writing your own CMS, though, does induce alot of overhead in terms of frontend and backend routing, and you'll find yourself solving problems that have already been solved (such as breadcrumbs). But if you go this decoupled frontend/backend approach, it may be easier to develop completely custom websites.
It will not be worth it to develop your own CMS if the frontend and backend code will be tightly coupled, IMHO.
It's not that you are being too paranoid (the questions 'what happens if my CMS ceases development' and 'what happens if my CMS has a security bug' are good ones) - it's that you are being incorrect in your analysis of how bad that is, and what to do about mitigating them.
Starting with 'what happens if development ceases' - In the case of an open source product, if everyone else in the world gave up on the thing, you'd still have the option of doing it yourself, WITHOUT having to start from zero. Since that's unlikely to happen all at once, you'd actually have a good bit of lead to time to decide whether to hire devs, or switch, or whatever. Obviously Joomla suits your needs at the moment, so re-inventing the wheel at this point is a complete waste of money. The amount of work involved in writing a full-on CMS is NOT small.
On the subject of security bugs - it is FAR more likely that you'd introduce security issues into a bespoke product than if you use one that lots of other folks are constantly fooling with and which has a fairly high profile like Joomla. It's unlikely that your initial efforts wouldn't have at least a couple of major security flaws.
If you are really interested in mitigating these concerns to the greatest possible degree, then I'd advise you to hire a developer or two to perform security analysis and fixes on Joomla itself. The idea here is that instead of re-inventing the wheel, you'd make the wheel you're already using more secure by fixing problems, and you'd have an in-house dev already familiar with Joomla in the event that you did need to take over development completely.
