malware on my webhost’s servers

Bluehost suspended my websites because of hacker/phishing activity on their servers. Now they are suggesting I use SiteLock for hundreds of dollars a year to protect my website on THEIR servers. My last file transfer to their servers is years ago. Why am I responsible?