I think in most cases it isn't publicly disclosed what the true root cause was. Most cases probably fall into 2 categories:
1) Companies are to embarrassed to admit they made a mistake, and furthermore there is no legal or security benefit to publicly declaring "We have an open SQL injection on xyz url."
2) Companies don't even know how or when they got hacked. Senior devs may have reached a point of thinking "There are so many moving parts here and I have so many bugs to fix that it's not even worth time trying to try to make them all secure against a targeted hacker." When they do get hacked, it may be the first time they realize that they haven't been logging everything that might allow them to actually trace the origin. If the attack happened far in the past, necessary information required to investigate may have been lost long ago.
1) Companies are to embarrassed to admit they made a mistake, and furthermore there is no legal or security benefit to publicly declaring "We have an open SQL injection on xyz url."
2) Companies don't even know how or when they got hacked. Senior devs may have reached a point of thinking "There are so many moving parts here and I have so many bugs to fix that it's not even worth time trying to try to make them all secure against a targeted hacker." When they do get hacked, it may be the first time they realize that they haven't been logging everything that might allow them to actually trace the origin. If the attack happened far in the past, necessary information required to investigate may have been lost long ago.