It should be pretty tough. Even more so if they're using full hardware virtualization. It may be possible from time to time to exploit bugs in the virtualization software (xen, vmware, virtualbox) to gain root access to the entire virtualization package but these are probably going to be few and far between and vps's in nature are far more secure than being on a shared web server (assuming secure up to date webservers in both cases)
Besides, most hacks I've seen tend to be on out of date wordpress installs or other outdated scripts.
"People may not always remember exactly what you said or what you did, but they will always remember how you made them feel. So smile!
It's like I was born slow or something. Mock me if you will; I finally got internet fax
and I've joined this century. If you get a quick reply from me via a fax, it's because I used my smart phone, not because I'm working hard.