The threats can come in many forms – infecting a website with malware in order to spread that malware to site visitors, stealing customer information, like names and email addresses, stealing credit card and other transaction information, adding the website to a botnet of infected sites, and even hijacking or crashing the site.
A single security breach could be a death-knell for a small business. Most states now have strict data breach laws, and many come with stiff fines, penalties, and other costs. Even if a security breach at a small business website doesn't trigger a data breach, it can still have a huge impact on customer trust if customers find out about it.
An unprotected website is a security risk to customers, other businesses, and public/government sites. It allows for the spread and escalation of malware, attacks on other websites, and even attacks against national targets and infrastructure. In many of these attacks, hackers will try to harness the combined power of thousands of computers and sites to launch this attacks, and the attacks rarely lead directly back to the hackers.