RE: "does the choice of service provider have any say in whether your site gets hacked or not?"
It's a controversial issue partly because so many people involved in the WordPress community are also involved in, even employed by, hosting companies, and partly because different people have had very different experiences with different hosts.
My personal experience is that it matters quite a lot.
I have received sustatined attacks on or originating from Dreamhost, GodDadday, Linode and many others -- all companies that are generally promoted as being reputable.
The best solution for me was to go to a fully managed VPS with a VPS hosting company.
BUT, with a VPS more responsibility falls on you to ensure security. For example, when you set up WHM, you need to have your checklist that includes enforcing jailed shells, locking down ssh, setting AllowSymLinksIfOwned and numerous other hardening features. With good fully managed VPS host, you will get a lot of key security taken for you just by asking, including installation of mod_security with core rules, mod_evasive to degrade ddos attacks and so on.
Whether or not you are on your own VPS, it is just absolutely vital that you
- keep core, plugins and themes up to date, use WP Updates Notifier
- monitor file changes on the system, use WordPress File Monitor Plus
- control your uploads directory with htaccess to prevent access to non-image files (or other formats you allow)
- use a root htaccess to secure your entire file space
But honestly, the very most important and best strategy is:
1. Expect to be hacked
2. Have a disciplined back up routine that backups up your site and database daily and stores them offline
3. Keep good logs so you can identify when the hack took place.
With just those three things, you can revert your entire site back to a day or three before the attack -- and still go through the traditional steps in the links routinely offered by esmi, Jan and others. Do not rely on your host's promised backup features. Very few of them are accurate. With Hostv, you can configure your own backups which will be stored outside the web space, but could still be compromised if some gains root access privileges. Use that feature, but also do your own backups to your own local desktop or an offsite repository like Drop Box or Google+.
This way you may loose a few days of work that you have to rebuild or abandon, but the bulk of your site will be fine. (Note: if you have basic unix skills, it is very easy to use rsync to backup from your site to your linux box, even if linux is running on a virtual machine on your Windows computer).
Note: I have no connection to Hostv other than as a customer and speak only for my own experience.
If you really want to get fully managed/full administered hosting, you can opt for one of the services that does everything, but typically your design and functionality choices are extremely limited.