I've got 10 WordPress blogs and none have ever been hacked (knock on wood). However, I do harden them when I set them up, and I do the updates when they have security fixes.
1. Rename the prefix for the tables.
2. Use .htaccess password protection for the admin area.
3. Keep plugins updated.
It is getting to be a pain to do updates almost weekly, but I do appreciate the fact that the development team keeps on top of the issues.
One new problem that I saw recently. As of 2.8.2 the automatic update process for WordPress stopped working. Has anyone else seen this?
"Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote." -- Benjamin Franklin