First of all, AJAX is not vulnerable or prone to hacking. It is just a mechanism to fetch content from a server via JavaScript in the background.
The stuff which is vulnerable might be the website itself, maybe because it has an XSS bug, which lets attackers inject code into the site, which then is able to leverage AJAX and other APIs in order to do stuff, like DDoSing someone or transmitting credentials to a third party.
It might also happen, that the server side is not secure. There might be someone who got access to an ad-network, so they then distribute malicious code to your visitors, because you placed ads on your homepage. Again, that's not the fault of AJAX or any API, but rather because of a flaw in the application or some implementation itself!
Since there are always a lot of bugs everywhere, developers started to think about ways to at least reduce stupid fails. Today, we have Unit Tests with code coverage, which at least guarantee that your application does the right thing in all situations you can think of. Additionally, clever heads come up with new languages, like Rust, and advanced error handling techniques, like Monad error handling, which enforce a high level of security. In addition to that, there are quite many efforts to standardize (web) security in an open fashion. There are projects, like ASVS and AppSensor on OWASP.
All in all, security has never been better and I can guarantee you that the simple AJAX standard (or even WebSockets for that matter) are not vulnerable at all! The problem mostly lies in some implementation.
We are humans. Humans err, that's why they are humans. Since humans err, their products are bound to be flawed. Since the products are flawed, there will be people who find (and exploit) the flaws. But the amazing thing is, that humans further strive for perfection, so flaws become more complicated and people will need more and more knowledge to understand what the hell is going on. That's why people will make errors, which might be known to others already, just because they lack the necessary expertise which humans gathered over decades as a collective.
In the end, all we can do is specialize even more, so that we know exactly what we are doing and only making mistakes which are not yet known to others. Then we can hope that it will take quite a while for others to find the errors; or we will find them ourselves, and fix them in a complicated way which further offsets the moment at which an attack vector is found.