all processes can be hacked when users don't use strong passwords. Weak passwords are the #1 cause of Joomla site hacks, stated by Joomla themselves.
Joomla core developers release a new update roughly once every two months.
Backward compatibility is always a consideration when making updates. Those not considerate to others who are running earlier versions and who's sites may break, always disregard these facts when they cry for the latest updates. Software updates have to be carefully considered and eased in and often previous versions are more stable.
On a VPS you should be able to use whatever version you wish. But the 'shared' in shared hosting is a clue as to why changes have to be carefully considered!