You don't always have to break into someone's web server to get them to deliver your malware for you. You can just break into the server they get their online ads from.
Or you can pre-infect the online ad server software so you can own it as soon as it is installed.