site closed due to malicious injection

This is a general question. I have several customers who manage their own wordpress installations. Recently a site that had not been updating their plugins or WP had a malicious code injection that affected one of my servers and resulted in the server ip address being blacklisted by spamhaus and others. I have 2 questions about this. How can you enforce users to maintain their installations? Can you penalize them if they don’t? How do you protect your server?? I hope that this is within the scope of your support and I look forward to your knowledge and thoughts on this extremely important subject.