It's also important to keep all your software up to date with the latest security patches.
2. Depends. If the server is compromised in some way then it's quite possible that the database could be read or modified. Databases contain executable code and it does happen that malicious code gets inserted into the database - often hidden as data in tables. Those types of attack are almost entirely preventable however and when they happen it is due to sloppy coding practices, failure to apply the minimum permissions principle and poor quality control on the part of the database developers / DBAs.
Backups should go without saying but they don't necessarily help much against viruses or malicious code. If you don't notice an attack immediately you could have to roll back an awful lot of good data just to get rid of the bad. The damage is still done. So good security practices and development standards are a more important line of defence than backups alone.