Well, full understanding on that one - especially open source CMSs seem to be targeted. It is a challenge, and it has become much worse over the last year or so (Drupal, Wordpress, etc.).
But for the time being, this site works.
And the problem ofcourse is that the "bad guys" are conglomerates with superior programming skills and extraordinarily destructive intentions, and especially on CMS they can hide their trojans so that it is virtually impossible to find them - let alone get rid of them. Not even server-operators can do that. I've had Drupal-sites on high-prized servers - and the same shit happened.
The only current answer, as I see it, is constant backups - end then killing the site, when shit happens - and install the latest, working backup - which is far from safe, because the bastards put their trojan in with a delayed action...
Bloody Russians... peasants... oh well, they are no worse or less criminal than the financial capitalistic Wall Street mafia - only they are blatantly outside the law - no hiding it...