No you misunderstood what I was saying. I delete all plugins including Askimet but when a new update is available it re-installs Askimet. I suppose if I manually updated every time I could customize what files get updated and what files don't.
As for why I know it's the plugins folder, the hacked files are easy to spot and remove. They will, for example, create a new new file in a plugins folder named the same as the plugin with .bak (i.e. plugin.php.bak) and other type of strangely named file additions.
when I delete those files the injected spam links disappear from my site.
I ensure that my plugins folder always has the correct file permissions but the hackers are able to reset the file permissions of the folder and sub folders to 777. This has happened on various WP blogs in multiple hosting accounts. The hackers also always create rouge WP users which I continually delete from my MySQL database.
Right now I'm in "wait and see" mode, by which I mean I'm waiting to see if I've finally expunged them completely from my site. Unfortunately it could be months and months before I know if my site is still open to the hackers.