Keep in mind the first time was about 20 years ago.

One time the hosting provider got compromised, FTP server exploit IIRC, they ran a recursive search and replace from root directory of the server.

It depends on how long you've been using WordPress, whether you use plugins, whether they're well-maintained or not, and so on.

Back around 2010, there were security vulnerabilities in WordPress or its popular plugins almost every month.