I recently had to work on recovering a hacked website for a client I had not worked with for about 3 years, and in this case it was an aged Drupal site, not WordPress.
The content management system hadn’t been updated in that time, although whether it was that (most likely) or poor passwords was difficult to tell.
I managed to remove all the hacked files and restore the site within 24 hours. But the upshot is that it doesn’t take much to allow your website to fall into the “at risk” category.
Regular website maintenance, strong passwords (I recommend using something like Strong Random Password Generator) and use of security plugins like WordFence can all help prevent your site going offline.
And it goes without saying that a good website hosting company with daily backups will help with this.