There has never been a direct exploit caused by XenForo's code.
The only issue was with the SWF upload 3rd party code, which, Mike patched immediately after being alerted to the issue (and incidentally I think was the first person to fix it in any software?). I also believe, that no XenForo board was actually comprimised via this route either due to how quickly the patch was deployed.
All other XenForo-related "hackings" have been down to poorly coded addons, or comprimises of the hosting (be this vps, dedicated or shared)