Security I see as a tiered system. How high it needs to depend on the niche and its related budget requirement. The security theater, what’s around the systems, is at least as important as the site environment system, but underestimated & purposely ignored.
If your CMS is like Fort Knox, but you put unhappy staff/time on work stations & service lines, or if your office uses unmanned entryways, or an unsafe network, or if your partner has an unguarded facility, etc., your site and data STILL won’t be secure.
If the environment around a system isn’t secure, the system isn’t secure. The question is: HOW secure does everything need to be for us — in our niche? What are the rules around that? What do we need to spend on it? 100% safe is impossible. It’s a tier system.