I've got 10 WordPress blogs and none have ever been hacked (knock on wood). However, I do harden them when I set them up, and I do the updates when they have security fixes.
1. Rename the prefix for the tables.
2. Use .htaccess password protection for the admin area.
3. Keep plugins updated.
It is getting to be a pain to do updates almost weekly, but I do appreciate the fact that the development team keeps on top of the issues.
One new problem that I saw recently. As of 2.8.2 the automatic update process for WordPress stopped working. Has anyone else seen this?
"It's inexcusable for scientists to torture animals; let them make their experiments on journalists and politicians." -Henrik Ibsen