Most of the Content Management Systems need you to set 777 permission on certain directories to which they can write and when you make new pages from the CMS those are stored in those directories.
When you set 777 permission to a directory which is accessible from browser then any kid in the world can execute commands from browser to write to those directories. They can upload scripts on the server as well as in /tmp
You should not forget that /tmp has 777 server already set on it so if someone manages to upload in this directory then rest of the things are quite for them to continue. They can run DDoS scripts, spamming scripts, port scanning, ftp injections, Iframe Injections, Brute Force attack, Binaries and Libraries modifications, password decryption and many more things that you must have never heard so far.
You are lucky so far as they have not reached any of the
website hostings hosted on your server. it would be late to install mod_security at that time and tweak php.ini as well as some other server side settings.
You submit many tickets for small small things but there has been no ticket ever from you for security of your server. our guys have expertise in that department so it takes no time to put a ticket and get certain things done from them. Its but obvious that some
website hostings may face problems and those will be needed to be sorted but there's no need to Fume on those problems. Minor problems don't create any threat for your business while security flaws do so.