Wordpress - How do I technically prove that WordPress is secure?

Tell your client to read up on cybersecurity, because his premise is nonsense. Security through obscurity has been discredited since 1851 (yes, that's one and a half century ago). The opposite is also untrue. Open source software is not more secure than proprietary software.

The crucial thing in code security is not whether it's open or not, but whether it's well maintained. WordPress has an active community that is constantly alert on security matters. Follow the guidelines. Ask yourself how alert the authors of a rival cms are.

That said, security is a constant threat. There are no proofs or guarantees.

"Isn't Cassandra, the engine that runs Facebook, open source?" That question ought to put them at ease.

Cassandra is used by Apple and Netflix too, and it's open source. Further you could cite all the major sites that use WordPress. "If it's good enough for them it's probably good enough for you."

The point, as the other answer notes, is that how the software is made and updated is completely irrelevant to security. More important is how frequently it gets updated and how easy it is to update your specific sites. In my opinion WordPress is pretty good at this.