Earlier this year, a study found that religious websites have more malware than porn websites. Unfortunately, this is not too surprising.
Pornography sites are often run by very profitable media conglomerates, and it's in their best interests to have reliable, fast websites. Religious websites (like your parish website, or a site for a small nonprofit) are often run on a shoestring budget and maintained by volunteers, if at all.
In the past, when websites were mostly static pages, and sites were hosted mostly on shared hosting, where the hosting provider provided (somewhat) timely server patches, leaving things be didn't cause much of an issue. But nowadays, with most parish websites running on Wordpress, Joomla, Drupal, or some other CMS that involves a database, PHP, Django, and/or other layers of services, leaving things be is a very, very bad idea.
Additionally, with many more developers and small development companies seeing the value of VPS hosting instead of shared hosting, servers themselves are lagging behind in terms of updated server software (Apache, PHP, MySQL, Linux, Rails, etc.). In fact, web servers are targeted more than Windows XP by hackers, mostly because so many are way behind on security updates (or have never been updated since they were originally built!).