https://www.stopbadware.org/blog/2015/01/19/2014-metrics-and-2015-plans
Key findings:
* 66% of websites in our shared data pool are running an outdated version of WordPress when they’re hacked and never update their WordPress versions post-hack. Those sites have a 33% recompromise rate after they’re removed from blacklists.
* About 5% of websites in our shared data are running an outdated version of WordPress when hacked, but do update their installation after compromise; those sites have a 17% recompromise rate.
* Sites that are running updated versions of WordPress when hacked and remain up-to-date are right in the middle with a 22.6% recompromise rate. There are some other variables we’ll address in later research, namely how plugins and third-party scripts affect hack and recompromise susceptibility.