In order to run code in an autonomous manner, a server must store the decryption key somewhere, and a hacker can usually find it, rendering the encryption useless. Limited exceptions can be made for keys that are required on boot and not stored, but when that happens they are stored in memory and can possibly still be had by a smart hacker.
walletpassphrase won't help, because the hacker can either:
scan your memory cache
or
just use the same session you are already using. for example, use your own JSON-RPC to send bitcoins.