A full answer to this question would literally fill a book on security.
But I’m going to give you a mostly-complete answer here after clarifying some points about what happened to you:
This sounds like attackers (not “spammers” - spammers would just post spam) were able to exploit the Simple Machines forum and gain remote access to your server on which is was hosted. Crashing your site would only prevent access to it, rather than allowing them access.
Presumably this server also hosted other things or contained other data?
The best way to think about this is in terms of “blast radius”. In the event that someone gained improper admin access to your forum, they would have access to all of the data in the forum.
In particular PII, but also configuration or other API secrets. For example, if another service on your domain relied on this site for authentication, that might allow attackers to pivot to that other service.
In the worst-case scenario that an attacker got access to the backend servers (in general known as remote code execution), the blast radius would also include anything accessible by the user account under which the actual service is running. Various protections to limit that blast radius such as containerisation and running servers with non-admin credentials also help to limit that exposure.
To sum up, hosting on a managed service is safest for your site since we are responsible for system security.