The two big CMSes, Drupal and WordPress, are free to download because they’re open source, but they do charge for hosting. Other CMS-like platforms, such as SquareSpace or Wix, typically charge users for hosting, too, and don’t require downloading anything since the CRM functionality is built-in.
For Drupal, all of the modules are free. Not all modules for WordPress are free, which means they’re not open source, so they could be riskier in terms of security vulnerabilities—a module could be made by some random person who may or may not know what they’re doing, so you never know what you’re actually going to get. In that case, WordPress modules are sold without being verified by a larger community, which adds a level of risk.
Only the WordPress CMS is backed by a guarantee from WordPress itself—they actually hired a big team of security experts about 5 years ago because they were doing so bad with getting hacked often.
If you don’t have a CMS, though, you end up paying per every update to your site; you could hire a kid who will do your website for $500, but there’s no guarantee of quality there. Then, that developer may charge you $50 per update after that, so you can save money by not building your site on a CMS but the quality will definitely suffer—and then you can’t instantly update the site, too, plus you risk spending more money if you have to make changes to the site regularly.