I can't say for big companies but for smaller companies it is generally software like WordPress for blog or some Forum software that you installed and then they find an exploit and exploit every site that has it. There is very little you could do even if you are updating frequently.
If you really need to install third party software i feel it's best to put them on their own instance and separate database than to share any resources with your main site.
If you really need to install third party software i feel it's best to put them on their own instance and separate database than to share any resources with your main site.