I know two simple CMS which has not been hacked yet. The two I wrote <img src="http://www.catsailor.com/forums/images/graemlins/grin.gif" alt="" /> 'Hackers', or more likely, the script kiddies, targets the large systems which they can get the most "cred" for cracking. I suppose that's why the systems I did have not been cracked to date.

Using HTML is OK for one, two or three skilled operators, but even then it is a bother. There will be problems with consistency, messed up pages and concurrency. When the current operator(s) move on, you need someone skilled at HTML as replacement and this person can be hard to find. A CMS is great for allowing several people to cooperate on running a website, from anywhere in the world. No client software except a browser is needed unlike what you do with pure HTML.

There is no easy solution. The obvious thing to do is to upgrade our Joomla version as soon as new versions are available. Switching CMS will be a lot of work, and we might be off just as bad as with the current CMS (PHP-nuke used to be cracked a lot earlier, when I looked at it). The safest solution is to SSH to the server and use vi for editing. I would not want to do that, even if it is what I usually have to when things break down.
Putting the webserver behind a firewall, preferably a proxy firewall, seems to help a lot.

There are no clear answers to this. If possible, I would suggest an upgrade and a firewall. Even the buildt in packet filtering in Linux these days do OK for protection.