As @VirtuBox said, there ain't such thing as "enough security". One can't just sell WordPress services without a solid base to make the correct decisions about which plugins, what kind of code, will be used.
In other words, one can't just leverage responsibility to a server stack (like WO). Security is a very important concern, it should be taken seriously. Also, it demands constant monitoring of log files, for example.
Finally, a few days ago lots of WordPress installations got affected by a vulnerability included in a well known (but abandoned) related posts plugin, from the official repository. What could a server stack do to prevent this kind of event? (Spoiler: nothing.)