Even when WordPress is running version 3.1, sites are still being defaced.
Even? There had been one major and five security releases since that version. If you are implying that 3.1 should be reasonably secure – it is not.
but the only answer seems to be outdated WordPress sites
What had you done to exclude themes, plugins and hosting used to jump to conclusion that WP is sole possibility?
If you are concerned about security of your sites had you considered hiring expert to perform proper security audit?