Plugging holes in CMS' to reduce hacks

Hi all, I've been lurking around tek syndicate since the amd 8350 video, since then watched the entire youtube playlist for the tek.

Now to my query, I recently started working at a mid-sized hosting provider a few months back and a common issue we see is sites that have been compromised/hacked, our admins typically say it's to do with Wordpress or Joomla (and associated modules) being insecure and have us lowly techs send the customer off to their developers. 

Frankly I don't think it's fare that we never specify in what way the cms or modules were compromised or that we never give the customer advise other than "please have your developer check their code and ensure they're using the latest versions of the software" (doesn't help when our servers don't support the latest versions due to out of date php and mysql versions). I'd love to be able to identify exactly where the breach occurred and advise the customer accordingly on what the best actions to take are. Shy of becomming a full blown php developer, what can people advise so I can stop feeling like all we're doing is passing the buck.

Thanks in advanced for any advise.

Drupal7.21 with OpenID module for user management?

Most of the customers sites we see are being built using Wordpress and Joomla. So far no customer I've dealt with has had a Droopal site.

How out of date are your servers? IE: what php and mysql versions are they usually running?