"most of which were compromised WordPress sites"
Wordpress not only helps you make and maintain a website easily, it's also the main vehicle for helping miscreants cheat people out of their money.
All that because too many people want a website but have no clue what the risks are, so they don't patch a thing. Wordpress, of course, sits on its hands about this. Too much trouble to go about checking site security on their own servers. I'm sure they could devise a tool to automatically check a site for vulns and then alert the site admin, but no. Costs money and makes trouble. Better to just blame site admins for not patching.