The servers are
only as secure as the code that's on there. If you're running old code, expect your site to get done over from all the exploits that you're allowing. Most people simply upload Wordpress or Joomla or something, and think that's all they need to do. They don't bother securing it, they never bother updating it, and they use untrusted unofficial third party modules that have exploits in them.
Then they come crying to anyone and everyone when their site gets compromised, instead of taking the responsibility themselves for not knowing what they're doing.
It doesn't matter how idiot proof you make scripts or servers, there's always a bigger idiot out there.