If you run a commercial site in the US your host is in a very actionable position.

If you are paying them it is not ok that they have failed to secure the site. Unless you went through and altered the permission of your site to allow your default documents to be written to by the webservice user/cgi user and uploaded weak scripts.
Not only that but since they run FreeBSD they will most likely have an exceptionally difficult time demonstrating that they took due care as no TFM exists for FreeBSD at this time and they would have needed to create their own _and_ get it approved by someone with clout, which seems unlikely at best since if they cared that much about security they 1. would not be running FreBSD and 2. would not be having their client's websites defaced.

If it isn't a commercial website, your losses were likely so small (just replacing the page) that further action prolly wouldn't be worth your time.

catch