A clients site was recently hacked. I'm fairly certain the hacker came in through the shared server of the host. In the end, the simplest course was to remove the hack and make the client happy - if not a bit more wary. I encouraged the client to stay with the host since this sort of thing is not uncommon. Changing hosts is no guarantee. Unless the client is willing to step up to dedicated hosting, it could happen almost anywhere.
Yeah, I may be apathetic, but I have better things to do with my Saturday's than try to track down the source of a hack. For me the solution is to fix it and move on. And just to be on the safe side, it's time to change some passwords... again.