A new host/a host with DDoS protection is not going to fix that. You need to hire a systems administrator to work on your security and fix the insecure scripts that are causing you to get hacked. Getting hacked and getting DDoSed are two very different things.
Maybe he meant getting hacked and DOING the DDOS'ing?
It does sound like he needs to better secure his site. Hardening it should be the first thing on the agenda of anyone getting a VPS/dedi. In this case, CSF is definitely a good friend.