The WordPress hacking/plugin security issue has been a solved problem for well over 10 years now if you're even basically competent. Especially if you're using something like WP Engine or Pantheon for hosting.
That's exactly what I advocate for as well. Static site export plugin for WP, and firewall WP behind an IP restriction. When Marketing updates the site every 3 weeks they can go click the big "Export" button to "publish it to the main site."