That is incorrect. Admins cannot do anything about hosted project sites that have security issues. Unless of course, you want to examine and fix hosted project sites security yourself. Unlikely to happen, isn't it?
The more complex a site is, the more likely is it that you may have security problem or few. The BWO/CE website uses php and mysql, making it far more vulnerable to exploits than standard basic html. But it is possible to have exploits even in basic html, though these are rare.
What admins have control over is server-wide security, namely that of apache, php and mysql. Security updates to any and all packages are handled automatically. While I can never be 100% sure, I'm quite confident settings of apache, php and mysql are secure enough without compromising php compatibility. Improvements can be done via 3rd party tools, such as mod_security. Last time mod_security was installed it caused problems with SMF though.
Case in point, if the server had exploitable security holes, I'm pretty sure the mainpage, forums or wiki would have been victimized many times already instead of some random hosted project site that's obscure even among hosted projects. Still, it doesn't hurt to contact this guy and confirm what security exploit was used, if nothing else at least that gives yet another lesson of security to whoever is coding BWO website.