they wouldn’t, because they don’t dirty their hands with malware
Exactly why I don’t trust a shared hosting provider to provide the security to protect my sites. Some hosts are probably better than others but I believe that security is the site owner’s responsibility. There are dozens of tutorials and tools available to address WP security. I’m not an expert but my guess would be that changing themes didn’t solve the problem. It may have disrupted the initial attack but, unless the root cause is identified and addressed, I think you’ll most likely see it again. There are other points of entry, some of which Tom mentioned above, that I’d be looking at before I’d suspect the GP theme or the Premium plugin.