Hi,
First of all need to take care of the server security. Depend on what we find, we can suggest solutions. For example, IPTABLES on kernel side, mod_security for apache attack etc.
On PHP need to see what modules are there, should be necessary suhosin patch and other improvements on security (we suggest also mod_suphp)
On Joomla side, is hard to know now what to protect, we prefer usually to protect on server side, is much more efficient and if a security breach is in Joomla, mod_security help you out.
Could be also ASL (Atomic Secure Layer) to be used, we prefer that, but yearly cost is there at 158USD.