"there's a lot of unmaintained, unpatched web servers out there that blackhats exploit"
To be sure there are many patched maintained web servers, applications that are also exploited (by someone for some purpose).
The best and the brightest get hacked and software maintained even by professionals regularly needs to be patched for new exploits. (Take Flash which seems to be running at between 1 and 4 updates per month). Or even OSX security updates.
I know everyone seems to think it's the other guy that doesn't have his act together and isn't following the obvious advice but there are many "other guys" that are quite capable and still end up having problems and being exploited. (Source: stuff that I read in news stories the same as everyone else.)