Joomla is popular, so it's a target
Joomla is great open source software. It has a huge, active community. It is well designed, well built and well supported. It is no wonder it is estimated that 3% of all web sites are based on Joomla (W3Techs). So it probably shouldn't come as any surprise that the bottom-feeders of the Web world are increasingly targeting Joomla sites for their attacks. If you have ever had a Joomla site infected with malware (which is probably why you are here) you know what a pain it is to clean up. Hopefully you have a clean backup or an easy way to migrate your content to a fresh install. There are some good resources out there that discuss cleanup options. If you are not at least using Akeeba Backup or something like it, you should look into that now.
When hackers try to use their various exploits to change your Joomla code files, they can't. You still need to take other precautions, like preventing hackers from gaining access to the Joomla back-end. We use Brute Force Stop within Joomla to stop brute force attacks against login. We use fail2ban on our Linux servers. But none of these stop hackers from exploiting any security vulnerabilities that may be in Joomla itself.
Easy-to-update makes Joomla vulnerable
One of the great things about Joomla is its ability to update its own code. You can run updaters to keep the software current and you can install all kinds of extensions to add functionality. But this is also what makes Joomla vulnerable. In order to update its own code, the user account that the web server runs under must have write access to the code files themselves. So if hackers can get that user account to run some malicious code they can change the web site's own code - usually to insert more and more malicious code, give them greater access, cause the site to spread malware code and so on.
So what do you do about this? You can lock down the file permissions so that the web server can run the code but not update itself. But this is not very Joomla-like. Now you can't run updates and install extensions. Plus there are a few directories that need more open access for content development and site operation, like the images directory and the cache and temp directories.