I wont actually call it hacking, in the sense that its mostly as a result of not having password encrypted private key (password for wallet that is being used to encrypt wallet) or your password can easily be broken by dictionary or bruteforce attack.
You're partially right - I'd always store the unencrypted private-key/mnemonic-phrase offline. However if you're infected with malware anyway, your password for your encrypted private-key ("keystore-file") might easily be grabbed as soon as you're accessing your wallet.
That's why hardware-wallets are a much better solution as the private-key is isolated from the host and therefore can't be accessed by malware on your computer. Another secure method is isolating your private-key/mnemonic-phrase/keystore-file from the internet (generating a new one offline would be the best solution) and manually signing the transactions offline (already mentioned it before).
For small amounts it should be fine to keep the unencrypted private-key/mnemonic-phrase offline in a secure environment and using the encrypted private-key secured by a secure and unique password.