One method that can be used is fake user accounts with simple to break passwords, like 123456. Logins to these fake user id's can alert the system that the user DB has been compromised.

Over a short period, sure. Over a period of six months, though, as the credentials get passed around and used... surely they should have noticed that their customers' sites were getting exploited unusually often, and in ways that couldn't be explained by typical poor security practices?

I've done a lot of work with cheap shared hosting and... I doubt it. Closing a compromised account until it's repaired is something I've done five times in a day, and I stopped investigating after a while because it was absolutely always a Wordpress or Joomla installation that hadn't been updated in five+ years.

I played for a while with sending people warning letters asking them to upgrade known vulnerable versions, and more often than not they would just close their account and move it somewhere they "don't have those issues".

It's easy to be amongst larger application developers and lose track of just how low the bar in the market they are playing in.