(Sips coffee, and thinks I'm sure going to regret this but here goes. Steps gingerly on top of the soap box.)
Why? End user laziness, a healthy mix of stupidity, all wrapped together with a lack of personal responsibility.
Wow, that was harsh. Still true though. If that's too harsh then read it as "Why? Lack of self education." and if any mod wishes to tone down the 2nd and 3rd paragraphs I wont object. :)
Occasionally there is a legitimate bug in WordPress that gets exploited via a script. Once an exploit is out there, folks who have their own forums and their own groups write up how to take advantage of it.
Sometimes the turn around is less than a few hours. Other times someone locates a bug in some old unsupported version like 2.0.x and exploit that. Finding exploitable versions in the wild is a simple as running a Google search. Or just run the script to walk through any Google list that replies back from /wp-login.php, it's not hard.
That's part of why WordPress.ORG has that built in notification system to let you know you need to upgrade. If I could change anything I would eliminate the auto-upgrade; it's not a bad idea and it works much more often than not. But it lets the end user off the hook for knowing how their blog works.
The fact that WordPress is so easy to use and so popular is what makes it such a great target. The point of exploiting your site is not to bug you, it's to get the links that make these guys money on your site. The more links on more sites and ka-ching for the bad guys.
Nothing is fool proof, and with enough time almost any site can be broken into. But if you keep up your code, if you follow best practices on your filesystem and database, learn how the system you are using works, then odds are good that you'll continue to be safe.
If you can't/won't/unable to learn this stuff, then look for a managed WordPress solution like WordPress.COM. That way you can focus on blogging and leave the geeky technical work to someone else.