It has already been explained, several times. If you
* Expose RPC to the world, and
* Use `unlock`,
Then hackers will create a huge number of valid transactions, for a large number of nonces. It doesn’t matter if you have zero balance right now, once you put some ether on that account they will use those presigned transactions to drain it.
I’m on a personal mission to nuke `personal.unlock` from orbit, with [Clef](https://github.com/ethereum/go-ethereum/tree/master/cmd/clef) (still work in progress)