Security is dynamic, situational, and consists of trade-offs. I consider the information here a starting point for reaching your own informed decision, or reviewing an existing policy or decision. Never take any security advice unconditionally.
Auditing your Drupal Website - A Checklist
Kiran Singh, Specbee, May 17, 2022
https://www.specbee.com/blogs/drupal-website-audit-checklist
Drupal Security Modules and Best Practices for Your Website
Jakub Woźniak, Droptica, Sep 24, 2021
https://www.droptica.com/blog/drupal-security-modules-and-best-practices-your-website/
Files directory getting out of control? Audit it!
Michael Anello, DrupalEasy
https://www.drupaleasy.com/quicktips/files-directory-getting-out-control-audit-it
Top Security Modules for Your Drupal 9 Website
The Drop Times, Jul 6, 2022
https://www.thedroptimes.com/9316/top-security-modules-your-drupal-9-website
Keeping track of upstream security issues
James Oakley, oakleys.org.uk, Aug 26, 2022
https://www.oakleys.org.uk/blog/2022/08/keeping_track_of_upstream_security_issues
The composer audit and Drush pm:security-php commands.