[Klathmon]

But even that won't help much.

If you are using "off the shelf" software, then that means i have something to scan for, and a vulnerability in the software means that i have tons of targets. Most of which won't be as secure as LastPass servers might be, and probably won't update immediately.

[comex]

Only if the software itself has a vulnerability - and it isn't that hard to secure a website or server that can't be accessed at all without a password, as opposed to one that needs to provide some level of service to anyone. Centralized services are also at risk of generic attacks such as convincing the hosting service/domain registrar/a company employee/etc. that you're authorized to change things, while pulling this off for many independently hosted site instances is considerably more difficult.