for our vBulletin sites to be hacked?

I voted improper www permissions, even though typically its due to a weak password... But technically that's not hacking, that's cracking (guessing a password or secure code).

Security flaws to happen with every software, it's only a matter of finding it and knowing how to exploit it. Nothing is hack proof.

In order of most likely

password
permissions
security flaw

Lots of add-ons and plug-ins provide exploits that weren't there in the native software. You forgot that one.

It should be multiple choice as no one issue is the correct answer.

I have to go with #1

Lazy admin with weak passwd and ssh running on 22 & root login enabled. No Hostsdeny configured.

Ditto on what Boofo stated, its not going to be a single answer, the most likely causes are poorly written php/sql code for injection.