WordPress is a security problem
I know I'm going to catch flak for this.
WordPress and all of it's plugins and themes are a huge target for hackers and reliably available online.
The main problem is that users don't regularly update, or rather that they can't in many cases.
That is, assuming the plugins are updated for security holes at all.
I wouldn't be surprised if hackers had databases of the exact versions, plugins and themes of millions of WordPress installations.
Just wait for a new public disclosure, replicate the exploit and attack the matching sites in your database.
They could have hundreds of freshly hacked WP sites every week.
These sites may only stay hacked for a few days or weeks, but it's simple economics.