Sadly, I often find folks have been compromised for weeks or months before hacker actually does anything malicious. That said, it's unlikely WordPress is at fault.
About 70% of the sites I've seen hacked were simply due to stuff being left outdated for many months at a time. In 20% of cases, the issue was a plugin (like an old revslider or Contact Form plugin).
As an aside, people often have other installations of WordPress or other scripts installed within their account, and never think that maybe another script on my site might be the entry point. I'd say about 5% of accounts are hacked due to forgotten scripts sharing the same account.