.....
I think that all users be able to withdraw cash in any time, so I don't use
any offline wallet. I call my online wallet is "pure hot wallet" :-)
....
I have two question now:
1. If nobody can get file "wallet.dat", does my wallet is security?
2. If somebody can get the file wallet.dat, does he or she can get all the bitcoin?
Just using a "hot" wallet is VERY risky. Look at other exchanges and a few have lost it all for doing this. Unless you just have a insane amount to spend to test it's security I would move majority into a cold wallet.
With a massive amount of BTC you sadly will attract a good amount of "bad guys". As far as how they do it... we cannot really say. If they find a exploit it could be part of lots of things you use on your website.