Web site security is easily overlooked because businesses assumes a web designer or developer knows about web security before they hire the person. But unfortunately website security is a tricky subject to learn and it requires more than just web design experience to be on top of it.
Websites are getting as complex as desktop software ever since databases became the norm to incorporate as part of the website. Also most websites on the internet have been created from public (open source) code. This means that if a hacker knows that your website is created from a particular code base, like Wordpress then they have access to very sensitive information about how your website was built.
Most developers use public code to build clients websites because it is cheaper to create. I do this too and I can say that it can be tricky to make a complex website secure.
A myth about website security is people believe a secure website does not need ongoing attention to keep it secure. The truth is no website can ever be 100% secure. Especially if it has a login system available through the internet.
Internet security is a relatively new concept that was developed after the internet was created. This means website security had to be built around a system that had no reason to be secure when it was first made. It was originally designed for scientists to privately share their knowledge, websites like eBay or Facebook were created long after the internet was born.
Hacking random websites is as common as public vandalism, and the biggest deterrent to stop someone from damaging your website is to make it difficult to hack into. You can't expect a website to be impenetrable but you should expect a developer to make your website hard to crack. This will dramatically improve your chances of having no trouble from hackers.
The video below shows a brief overview of website security.