Morrissey said, "I've seen it happen in other people's lives and now it's happening in mine." I don't think he could have imagined that line would get appropriated to talk about WordPress® security.
When you install a plugin on your WordPress® Website, you get the good with the bad — along with the increased functionality, you also inherit any of its security risks. By installing a plugin, you add more code to your Website. The more code your Website has, the more ways a hacker has to enter your Website and do with it as they please. And when someone leverages your Website to attack someone else, you're making the Internet that much worse.
It's easy to shrug that off as alarmist, but when you've seen thousands upon thousands of Websites compromised because of a plugin, you feel less like Chicken Little and more like someone trying to save a lot of people a lot of grief. This is all to say your WordPress Website is susceptible to compromise unless you follow some best practices:
By minimizing the number of plugins you use (or not using any) and continually updating the ones you do, the less likely you are to have your Website compromised. If you're careless, though, you run a great risk of getting hacked. It's doesn't only happen to "the other guy." It's happened to me, and it's not pretty.