isn't it the hosts responsibility to chroot users and keep them in their own "jail" so they can't affect other users' sites?

My experience is that many hosting companies don't know that this kind of jailing of directories and user accounts exists. Even some large hosting companies with reputable names have their shared hosting accounts readable for other shared hosting users and in some occasions even writable. You should also see it from the other side. For that few dollars per month which is often paid for shared hosting accounts, it is almost impossible for hosting companies to hire top-notch staff and perform ongoing security audits. Many are happy to just survive.

Even if there was a problem in your code, it couldn't propagate to other accounts on the same server, unless the hosting companies had some serious design flaws in their security setup. I have chroot jailed all my individual hosting accounts. They all have their own login credentials and those credentials do not match the login details of the processes which run the Apache server or MySQL. It won't prevent hacking, but it reduces damage when one of the accounts gets compromised.

Thanks Lammert-- you're right, I have some stuff hosted on a Cloud product from one of the most reputable names in hosting, and they have issues with users writing malicious code to other users' files.

I think I've removed the malicious code and the site seems to be working fine, but I'm pretty annoyed-- the host hasn't changed FTP passwords for almost two years (possibly longer) on any hosting accounts. And as of this morning, they still haven't. So I assume the attack vector still exists, if they were able to harvest hard-coded passwords from connection scripts and INI files.