Personally I deleted unused aspects of Wordpress in my installation.(not disabled, deleted) I then disabled anything that wasn't used and non-essential. I've never had problems in years of use. I'm a coder so this is a lot easier for me to say but the point being that limiting access seemed to work for me.

BTW, don't confuse WordPress hacks with hacked servers. There are some hosts that are literally infested with sites hacked with hidden links that appears to be a hosting problem, not a WordPress problem.

If you've had this issue you should use Google to see what people are saying about your host as I know a few that are severely infested.

I use a host that is known for high security. Sometimes it is a pain to go through the extra steps for something but it is nice to know they work very hard to secure the network.

One team member isn't nearly enough to validate code for security

Bill I'll have to admit I don't know exactly what the mod validation process is. I do know the guidelines set down are pretty strict to help prevent exploits from creeping in to begin with. It's my understanding the ones that do get rejected are usually because they don't follow the guidelines. There's a team of about 8 mod validators and only about 150 have been validated since about this time last year. They just added some "junior validators" to pre screen mods to help speed up the process.