There's simply so many vectors to get in. Every layer of technology you add is a potential layer of vulnerability. The state of security is appalling and people have been repeating this for so many years, but few other people listen (or they simply pretend to listen and convincingly appear as if they've taken precautions).
I doubt most of them have any particularly good coding skills. Large-scale Middle Eastern hackers and website defacers are primarily script kiddies. It's just that they have a lot of willpower and time to run vast automated attacks.
Actually a lot of high-profile attacks like this don't even involve exploiting the actual web application. Rather, they hijack nameservers, socially engineer domain registrars or find some external avenue or service to get in by enumerating open ports, seeing what's juicy and searching for exploits. They also phish a lot.
Information security is a very complex and intriguing field, but when it comes to merely cracking web applications from a purely practical point of view, it's relatively easy and especially so now that any wannabe hacker can just burn Kali Linux on a CD and read some tutorials on using tools.
Media loves to blow this out of proportion, because "cyberterrorism" and "cyberwarfare" just looks so damn cool in print. In reality though, you can count gainful attacks, the kind which would make sense to be conducted by governments, on fingers of one hand.
That defacing websites is a misguided patriotism? Well yes, it does not contribute to your case in any measurable way. It's not like bringing down a blog means a jack in real world.
As to your token US-bashing, I'm not a U.S. citizen so your outrage is misplaced.
The situation with Syria is not as clear cut though. If Assad just went away instead of massacring his own people on (then peaceful) protests, there wouldn't be anywhere as much influence of radicals among people today. He obviously prioritized his well-being over Syria's long-term stability, and this is the consequence.
Most ips were located in Russia, Ukraine, USA and a few other Arab countries.
I highly suspect they are a small group of amateurs, right now we have moved to AWS with Dos-Arrest in front which seems to work well.