A website is not just 'build' and go, as many designers do. Newer websites use scripts, and basically any active program on a web server has potential to 'go bad'. But too many designers quickly build with tools 'that work' for them, and move on.
Then the headlines read:
Zero-day Vulnerability Threatens Many WordPress Sites
Attackers are exploiting a widely used extension for the WordPress publishing platform to take control of vulnerable websites, one of the victims has warned.
The vulnerability affects virtually all websites that have an image-resizing utility called TimThumb running with WordPress, Mark Maunder, CEO of Seattle-based Feedjit, wrote in a post published Monday. The extension is “inherently insecure” because it makes it easy for hackers to execute malicious code on websites that use it. At least two websites have already been compromised, he reported.
This is too common, and it is the reason that it is important that your web designer/developer maintains an ongoing relationship with you and your website.
Ask your developer if they monitor your site for insecure scripts, or ask them to show you how you can make sure your site is secure.
The likelihood is that you are on your own with that, or there will be an additional fee for each update. So, most websites will not be updated until they are hacked.
Just keep your websites updated and patched. Yes, it's a pain, but the alternative is your site looking like a giant advertisement for Viagra and Penis Enlargement.