As bob3160 remarks an infected website (whenever established as being infested or spreading malcode) seldom goes unnoticed and automatically all big vendors are informed to add it to their detection patterns. Malware as a rule does not stay long on a website unless it is intentional and this is called OVERDUE! status, staying on for over 3000 hours and more.
The phase that a website could stay vulnerable and attractive to be attacked, exploited and often re-infested could be much longer when the security issues on a site are not being tackled. First comes outdated CMS, vulnerable third party code, plug-ins, themes, SE spam injections, iFrame malware and a long row of other issues, but also vulnerable server and PHP software versions that make these attacks worth while (in JF-111's example it was brought to my attention that there are approx. 28 XSS attack sinks there) are continuing threats.
There we also see a lot of insecurities with server HTTP header configuration that makes it the more attractive for attackers to seek known exploits against this when the info is spread to the world and attackers alike. When your domain for instance is hosted on one and the same IP with some thousand others and you have a hosting party where money comes first you could imagine where that can lead to. Most Internet users are not always fully aware that that is the general situation we are in.
regards,
polonus