Accessing a server where unencrypted private keys are stored (which I expect exchanges DO NOT STORE) or accessing the decryption algorithms as well as the storage could be the only real threats an exchange can be exposed to.

Also a DNS attack like what happened in etherdelta is a possibility however any average webmaster should be able to detect and mitigate such threat