That's hysterical: "contact your hoster" when shared hosting is more often the problem than not. One account on the server with a vulnerable Joomla, WordPress, etc. and the whole box is infected, SEO injections on thousands of accounts, spam spewing out the SMTP server and the host will say "change your FTP password".
All hosting needs to be virtual per account to avoid this garbage which is the real solution to mass account hackings and Google would do people a favor suggesting they switch to such virtual server services but people are simply too cheap.
The other solution to the problem is to get most dynamic websites off the front-end server because access to actual code is where the problem starts and if the code was running in a back-end server, not directly addressable via HTTP, that would eliminate how most exploits happen in the first place.
Short of that, CMS systems should start publishing static sites and only allowing the admin's IP direct access to the CMS thus eliminating exploiting the CMS.
Then of course the control panel software the hosters use, which I use as well, is also exploitable which recently caused a server I run to be compromised so there's really no good solution to the problem except keep everything updated and hope the updates are available and installed ahead of the hackers exploiting your server.
Basically it's just a numbers game and no matter how hard you try eventually your number will come up,