If it is not WordPress, it must be some other off the shelf content management software that is modified enough to look different. It probably has a well known vulnerability and you are not being targeted specifically. This looks all automated exploit. You need to pay the guy to patch it probably.
There has to be budget for maintenance. It is a mandatory burden of having a website. Otherwise this problem is always going to come back. The fact that you kept dealing with link injections, manually cleaning them up and only worrying about it after they became sex related is bonkers.
It is like knowing that someone keeps breaking into your house and you keep cleaning up after them for years but now it is actually becoming a real problem because stuff is being stolen and illicit goods are being left around
Surprising to hear this still happens. It must be extremely rare. I had it happen only twice in all my life and I have been using phones for 30+ years