I understand and appreciate your concerns. While PHP 5.5 went end-of-life last year, there are currently no (known) exploits against PHP 5.5.38 itself. If any are discovered in the future that affect our PHP version, they are backported in to our current version. Additionally, we have other security measures in place to prevent attacks against PHP and the servers that power our hosting cluster. Any exploits are likely not going to be due to that specific PHP version. Exploited sites are usually due to code vulnerabilities in WordPress plugins, WordPress itself, other insecure code, or direct access to the WordPress administration panel or hosting account due to a compromised administrator password.
At this time, WordPress is fully compatible with PHP 5.5 and a majority of plugins are as well. Aside from routine scans for malicious files and activity on the hosting platform, we have a number of processes in place to detect and thwart sites exploited due to the reasons above.