Both can and have been targeted in the past. It's just that the incentive to hack a centralized service is greater because they keep plenty of the user funds in hot wallets. If the exchange is really bad maybe all of the coins are in hot wallets.

I was gonna suggest EtherDelta as one DEX that got hacked in the past, but JeromeTash already did in his post here. One thing to remember about that EtherDelta hack is that those users who used a hardware wallet to establish communication with the fake site didn't have their wallets emptied. Many others did.