90% of the times it is because the exchange is not making enough money! so they just put their left hands in their right pocket and take some money out then start crying that they were hacked while holding that stolen money in their other pocket enjoying the free money that fell from the sky on their laps.
10% of the times (maybe a little more if you are generous) it is a real hack because nothing is 100% secure. there are always vulnerabilities and ways to get hacked no matter who you are and how secure your setup is. for example last year Yahoo told their users that they were hacked and all their database was leaked!
I think you have it spot on there, Pooya. You can add to this, that centralized services like Exchanges have a vulnerability in
that their staff could have been compromised. You can have employees infiltrating your business and leaking your sensitive
code/passwords. You will never know when that person you hired are 100% trustworthy. Most of the time, these hacks are
inside jobs.