You need to take the hack attempts into perspective and how do they work. The basic methodology behind is they monitor sites who post news for vulnerabilities in various s/w products. These sites in many cases include code details to explain the problem. The attacker can then re-configure script(s) to apply the published problem to various sites checking for existence of the vulnerable application first. This whole process in many cases is fully automated. If systems are compromised, they may become instantly repeaters of the initial process.

So the whole idea for the most part, relies on sites who do not quickly update the software and found via search engines. And they are many. Apart of the application a site runs, there are plenty of related applications like control panels, server remote controls etc.

For what you mention now, the various services these companies offer are generic, they may not know nor identify the application you have or only check the application not the control panel or the tool that logs in to your database. It is also highly unlikely that will be able to process and test active scripting you may include with your site. Also during testing, they will not try to bring your site down as it is illegal obviously and you are a client. So you can see the weaknesses of generic tests.

IMO check with the s/w vendor for updates, surf the net with a clean system (as the site owner in many cases is the one who unknowingly compromises his site), keep sensitive folders password-protected and check the forums or news of the application you run.