Good hackers know how to program their own exploits and tools. Bad hackers, also known as script kiddies, mindlessly use exploits and tools written by good hackers. This is all using the negative connotation of "hacker", by the way.
To me, the image that the word "hacker" invokes in my mind is that of a kid who has an irrepressible need to pick his home radio appart to understand every detail of it and tweak it, or to use the remote and receiver from an old TV to try and make his coffee-maker activated by the TV-remote. At least, that's the image it invokes for me, and that's probably the kind of things real hackers did when they were kids. Also, this kind of "hacking electronic gizmos" is the kind of activity the first people to be called "hackers" were doing.
The end goal is not really the main motivation for a hacker, but rather the sheer joy of picking a system appart and mastering it. For as long as there have been systems, there have been hackers picking them appart (which is usually illegal). Whether it is Frank Abagnale Jr. picking appart the bank's check systems to forge his own checks, or whether it is people who put bits of electronics on their phone line such that every call they receive looks, to the phone company, like the phone has been ringing for half-an-hour when they are really making a long-distance call (saving themselves the bill for it). Or, true story, a friend of mine who, as a kid, learned all about how to program a boot-loader on a computer, just so that he could put in a fake boot-loader, one which only printed a mean-looking error message, just so that he could blame his brother for it, and convince his parents that his brother shouldn't use the computer anymore, leaving more computer time for him!
So, do true hackers know programming? Well, if you mean "computer hackers" more specifically, then of course they do. Computer systems are collections of programs and protocols, created by programming them, and this is, of course, also the way you pick them appart. The vast majority of people that call themselves hackers are not hackers, they are simple crackers that think they are super-smart because they can do a DDoS, or sniff out computers on a network and brute-force their way in, or crack a WPA network access. Most of them just use software tools: either very simple tools (or scripts) that don't require "hacker-expertise" to program; or tools that hackers programmed and made available to use (many of which are now standard packages, like brutus, tor, john the ripper, etc.).
The thing is, few of the true hackers actually engage in cracker-like activity for very long (if at all), because once you've built the kind of expertise necessary to pick one or another system appart, you realize that you can make a great living (legally) with that expertise and/or that you can have just as much fun building systems as opposed to deconstructing them, and you're usually an adult by then too, and not so much interested in stupid little pranks or hurting innocent people (e.g., cracking for credit card info or whatever), unless you have no sense of morality but lots of greed. I programmed a few simple prankster viruses and exploits in my youth, when I was learning to program, but I quickly got bored of it and moved on to more creative things. Like many other experienced programmers, I have a set of skills and knowledge that I could probably use to do all sorts of hacking (as in, system attacks), but I don't have the slightest interest in doing that kind of thing; it's a lot of work (studying a system, finding exploits, etc.), and it's mostly pointless, destructive and immoral.
The answer is that yes, exploiting security holes requires programming. And finding them requires knowing how to code, too.
(Or we could get butthurt and chatter on about how one person could write the code and another might deploy it, and gosh, some people are morally wrong, how dare they be so? But that's boring and we might as well find something more entertaining like watching the paint dry, or arguing about what the definitions of words should be.)