It's not that it's that easy, it's the fact that it's so popular and so many smaller forum admins don't take the time to keep it up to date. It's like a mecca to the kiddies if they can find an older install and exploit a hole. Plus two versions were able to be exploited due to other software involved (php and awstats). Do a google search for "powered by phpBB" + 2.0.10 and it returns 10,300,000 hits - and that's considered an older "unsecure" version due to the exploits. That's a lot of places for the kiddies to deface, you'd think they'd eventually get tired of it. ;)