The leading website creators are not companies like Wix or Squarespace, but installed versions of content management systems. Wordpress leads the charge, but there are millions of sites that are installed directly onto an owners server. This gives them full flexibility for customization, but it also leaves them incredibly vulnerable.
If you have an old Joomla 1.0 build and it is still up and running, you are one of the few. It seems like every CMS has some big security hole that is discovered by a hacker group. In October of 2014, Drupal got hit by a big one and more recently, a popular WordPress plugin revealed open entry to injecting malicious code. But even beyond these code failings, just by having old admin accounts or open form permissions can leave a site at the mercy of a talented hacker.
There is no ultimate solution for any website out there. They are always at the mercy of creative programmers looking to make a name for themselves. The truth is, if you are not continually manually upgrading your core CMS and all the plugins/modules associated, you will be at risk. And even with fully upgraded code, there is no ultimate CMS that is going to protect a site fully.
There are a good deal of people advocating for auto-updates in the same way Microsoft annoyingly needs to restart your PC every week. And even though it is annoying, it prevents you from losing all your data to viruses (so fair trade). If content management systems were to use auto-updating, it would potentially cause problems for website owners who have modified said modules/plug-ins or even core files. Hence why it always asks you first.
So the question remains, how to create a less hack-able CMS? The only solution is to move to a unified and very restricted service like SquareSpace or Wix where everything is universally controlled by a large company. The customizing advantages of content management systems are also the same reason they can be exploited. So it’s a balancing act when using any form of a CMS. And don’t expect this to change, an open web means that the code standards used have to be flexible enough to be taken advantage of.