I have been hacked many times.
I would say about 50% of the time, its a vulnerability on my site and 50% its the hosts.
I guarantee though that the hosts deny responsibilty 100% of the time!
Even when you point out other websites on their servers that have the same hack.
I recently had hack on one of my better sites through a news feed and the hack created a thousand .php pages promoting pills with a simple text file. He then used the same vulnerability of many other peoples sites and created tens of thousands links to those pages he created on my site.
I really only noticed when I got a jump in my main serps and a email in my webmaster tools account that I have a sudden increase of traffic and revenue.
All those thousands of extra links to those pill pages boosted my own mainstream serps.
I was almost reluctant to clean the hack and disavow the links :)
but I did and my traffic and serps plummeted henceforth.
I saw no evidence that my pill pages were ranking.