Hi jacal,
When people (often victims) come to report a site is being flagged by Avast (AOS, webshield etc.) it means the site has actually already been infested with malware. Before that a site may have long been open to abuse, either vulnerable or open to exploits etc. Often those that have put the site up, do not know what and where to look for weaknesses in the site's code, the configuration, DNS errors, etc. etc.
We scan in a specific sequence with scanners for such insecurities and the presence of retirable code (libraries), outdated software (server, CMS, PHP), outdated plug-ins, vulnerable jQuery, cloaking, status codes, spammy looking links, defacement, iFrames, blacklist checks, and quite some other issues to report, so one could better protect or ask some expert to do this.
Eddy is right where he says that a lot of hosting parties do not do much in the way of pro-active protection of a website or a blog's security, they just cash in and leave it at that. Also software vendors (in order to keep their downloading customers satisfied) let you download the whole "kaboodle" and leave what to install and more important what to not install up to you. Just like Eddy I think this is a very unsatisfactory general situation. Whenever we can give volunteer support and spread our relevant knowledge of issues, give feedback (also to Avast's) and educate to improve that situation, we feel grateful when we see results from our mission to make the Interwebs and websites more secure,
polonus (volunteer website security analyst and website error-hunter)