Which part of "1. do have backups, 2. do have up to date backups and 3. make sure that your backups actually work (meaning run the backup recovery playbook)", don't people understand ?
Was trying to salvage contents from the post mortem files and database dump of a friend's site who got her site hacked (probably because the CMS she was using was multiple versions behind latest security updates). Obviously she didn't have any backup policy of her site and, in particular, didn't have an up to date (local) copy of her site.
One of the most unknown and most striking example of unfortunate loss of backup is given by Diary-X. Imagine how the owner of the website and his users must have felt that one day he had to put up a notice saying "Folks, I lost all your precious memories...."
Take the case of alseyn.net, for instance. It has multiple subdomains (more than I remember) but the two main ones are 'weblog' and 'pascal'. I do not even consider my webserver (that your web browser is talking to right now) as "production", but as copy of the real production which lives on my laptop. My laptop's instance of alseyn.net (and all it contains), is the real up-to-date site. The online version that you are visiting right now, is merely a copy that I deploy so that you people have something to read.
Of course, because otherwise I wouldn't be me, the laptop has enough backups of its contents, all managed by daemons that I don't even mentally pay attention to anymore, to ensure that my files survive a global nuclear war. (I have never actually been able to test that scenario though.)