well i agree with his reason
but I would highlight the main, which is vulnerability among the options you mentioned, the facility has a cracker to obtain passwords from one environment to be outdated, as it is possible to control, and not for the simple fact that a site is infected with code, many says User not found anything on my site that might become malicious, sometimes the User does not even realize that an attack is a weapon capable of destroying completely.