Sadly, I often find folks have been compromised for weeks or months before hacker actually does anything malicious. That said, it's unlikely WordPress is at fault.
I would agree with this to an extent. admittedly the site was not updated for a short while but not that long at all, I always install core updates and plugins ASAP when I notice them. The hack has possibly been there for upto 4 weeks (last time I thoroughly looked through plugins folder)aside from that I'd log into dashboard and just click the updates section and go.
The only reason I suggest that the WP core may be vulnerable is because of the way the link in my first post describes the attack. not only that there is also a reference that Jetpack or the 2015 theme can allow these hacks to happen and I do use Jetpack..