In “the old days”, 2 years ago or so, you could setup a website and then walk away from it – the only annual cost being the hosting cost. However, as websites have become more complex AND cheaper, they have become far more vulnerable to hacking.
The software used to deliver websites is a continual work in progress and vulnerabilities are discovered all the time. Urgent updates can be pushed out, but generally most security updates come out, certainly in the case of WordPress, only when the core software is updated (three times a year for WordPress).
Good hackers (is there such a thing?) won’t bother hacking low value sites, but instead will focus their efforts on high traffic, high value websites. So, if you are an SME and stay with the latest version of the software you’re normally safe. But if you don’t, the complicated hacks that hackers develop gradually become available on sites within the dark web. That then opens up the vulnerabilities to the likes of “script kiddies”; people with no skill to perform hacking but capable of running a hacking script they’ve downloaded from somewhere. And they’ll happily hack any site. Now you’re vulnerable.
That explanation is a generalisation, but it helps to explain why the new reality is that you ought to keep your website up to date with the latest software as soon as it becomes available. It comes at a cost – websites are now cheaper to create but more expensive to maintain than 2 years ago – but the cost of being hacked is far higher than updating your website 3 times a year, or paying your developer to do it for you.
So if you’re going to make some new years’ resolutions, please let one of them to be to keep your website software up to date.