For further information on web security and how hackers exploit vulnerabilities please read below:
The majority of web site compromises happen because of:
1. Stolen FTP credentials. Spyware on webmasters' computers: key-loggers, traffic sniffers (FTP protocol sends username/password as plain text), trojans that steal credentials from various programs' configuration files (FTP clients, DreamWeaver, etc).
2. Security holes in popular web software: CMS (Joomla, Drupal, etc), Forums (phpBB, vBulletin, Simple Machines, etc), Blogs (WordPress). Once a vulnerability discovered, hackers configure their automated tools to search the web for websites running vulnerable versions of the software and exploit them. This can be done easily and at almost no cost when they have an army of zombie computers.
3. Security hole in "in-house" web software. Many novice (and even many experienced) web developers don't properly sanitize user input making various attacks possible (SQL injections, XSS, etc)
4. Poor security practices (Something that should be manually configured by site admins and cannot be fixed with automated security updates): Weak passwords, insufficiently strict permissions for limited accounts, files and directories with world write permissions, etc.
Please also look at the following articles:
http://en.wikipedia.org/wiki/Gumblar
http://www.google.com/search?q=mysql+injection
http://en.wikipedia.org/wiki/Cross-site_scripting
http://www.google.com/search?q=php+script+vulnerabilities
http://en.wikipedia.org/wiki/Remote_File_Inclusion
http://en.wikipedia.org/wiki/SQL_injection