A “breach” usually means they got access to the database, which is much different to access to the underlying server. We aren’t talking about databases, we are talking about servers.
It really depends on the architecture. At least I think it's fairly common for people to have some sort of database proxy running beside the static serve, so there isn't any direct public access and to do some caching, but once you're there it should be pretty wide open.
In my experience, it is much more likely someone forgets to escape some input and opens the database up (via SQL injection) than it is for someone to break in via ssh or gain access to the shell.
