I've long since stopped building WordPress sites for clients, but you would be blown away by the number of people who have installed the free version of Securi or Wordfence, zero configuration, and then assume their site is completely safe from attacks.