An exploit was found in the vBulletin upgrade script earlier this year. Before this exploit vBulletin officially only required deleting the install script after an install or upgrade but the upgrade script was generally deemed safe to leave on the server.
As a result of the exploit vBulletin now recommends deleting the entire /install/ directory which includes both scripts and numerous other files.
As a result of this exploit and the fact hundreds of thousands of sites use vBulletin, it was no surprise a percentage of those admins did not bother keeping up to date on security issues and either ignored emails or had changed their emails in the years since installing the software and as a result an estimated 30,000 sites were compromised starting in the end of September of this year when the details of how to use the exploit became public and every wanna-be hacker tried their hand at it. In most cases the damage to sites was minimal, just middle-eastern hackers changing the front page to their "Hacked by XXXXXX" message- luckily most of these guys left the data intact. They generally just want to shock admins into taking security more seriously rather than actually harm the communities long term. (Because lets face it, these admins who don't care about security probably also don't have recent backups in place either.)
Anyway... That is where the headline came from. It was a fair easy and far reaching hack resulting in so many compromised sites.
Usually when an exploit is found in software (including vBulletin- it happens from time to time) it is much "harder" to exploit and that limits the number of sites affected before a patch is released and installed.
One more thing about that exploit with the upgrade script... Any Admin that followed the recommended security procedures rather than merely the required minimums would have had the hack prevented by way of requiring a separate password to access in the /install/ and /admincp/ folders to begin with.
vBulletin has various options for stronger security beyond the "out of the box" minimums but it takes an Admin willing to implement them to actually work as intended.