Must read. Well worth digesting: The Sucuri quarterly report (link below.) Sucuri is a company devoted to protecting WordPress self-hosted sites, among other platforms like Drupal, Joomla, etc.
Self-hosted WordPress sites are world-wide most popular / most widely deployed. And as such, due to lacking or absent maintenance, these sites comprise the lion’s share of hacked websites. Admittedly, many of the hacks originate access to the web server via compromised plugins.
Sites hosted at WordPress.com on the other hand (shared hosting at Automattic.com) are nearly invulnerable. We continue to advocate that Small and Medium Businesses DO NOT LISTEN to web developers who promise secure sites on self-hosted infrastructure. That is regardless of the development platform and host.
Self-hosted maintenance costs over the long term will far and fast out pace any fees incurred for shared / managed hosting.