Supposing that they, y’know, try to keep their setups secure anyway. With how much you see about breaches of different sites, it’s hard to imagine individuals and smaller groups being able to keep their stuff secure.
Although, they may also benefit from being lower value targets in some respects, I suppose?
Usually very poorly. It’s pretty rare that a self-hosted or small site is secure. Just last week one of our clients needed help with some stuff and I was mortified when I looked at their production environment. Being obscure surely helps.