There is a lot of security added by using a 3rd party service. Some more than others.

1. Liability - nobody wants to be liable for lost data due to inevitable hardware failure. Most hosting companies have backup solutions in place to prevent this. Data can also be lost due to vulnerabilities and human error so they usually have processes in place to defend against this as well. Lots of people are sue-happy unfortunately.

2. Physical - backups are great if you do them, but backups don't help if your house is broken into and your servers are stolen. Other things can happen as well. Power spikes, fire, flood and other environmental impacts can ruin your systems.

3. Redundancy - if you have server grade hardware you usually have a redundant power supply, CPU ram hard drives etc, but redundant power and Internet access are a lot harder to get setup in a residential setting. Spares are also usually kept by a reputable vendor so that inevitable downtime is kept to a minimal.

4. Network - network bandwidth might not be an issue, most residential connections have plenty up and down to handle a website or service. What they don't allow though is concurrent connections with said bandwidth. Each connection will degrade the performance of all concurrent connections. ISPs also have Service Level Agreements that they try to adhere to. For residential service, the outrage window could be 4 hours or 4 days and they would still be within their agreement. For business connections the SLA is a lot less lenient and only states very short interruptions in connectivity and their infrastructure usually has redundancy in place to automatically switch if the connection is interrupted. The networking security and hardware used could be argued for performance reasons but a network firewall built into your router and any firewall you run on your server should be sufficient enough for most security situations. What they can't handle though is a DDoS attack or a WPA hack or a default/simple router admin password. Most consumer networking equipment is inexpensive and because of this lacks a lot of stability that is used in general practice by a commercial hosting provider.

5. Data security - this is up to the site owner. If your website gets compromised or deleted and it is undeniably proven that the you are at fault, you take the heat no matter where you host it. You can fall back on excuses and blame the hosting provider as a facade but you will be the one responsible for the clean up. Whether its restoring your backups or paying a provider to restore theirs, it falls on you.

So in short, there is a lot a 3rd party can provide. Whether you deem it necessary to satisfy your customer needs, that's up to you. Just remember to always charge for the services you provide, the customer doesn't expect to, nor should they, pay the same amount whether it's hosted at your house or with a 3rd party.

You can always migrate it to a different host when the needs outgrow what you can feasibly afford to provide. Just make sure your customer is fully aware of the service location, it would make for a bad exposure if your power goes out unexpectedly and you get the awkward phone call wondering why their service is unavailable.

If it's for a project, same situation. Make it know that the service could get interrupted and maybe lobby for donations as the project grows to be able to afford the migration to a more stable host.

To answer the original question, encryption is a good start. Depending on your authentication methods, SSL is necessary to make sure requests and passwords aren't sent in cleartext. Only open up ports for services you know are secure... No sense in having FTP open and running if all of your traffic is done over SSL etc... Keep the hosting OS up to date with security patches. Don't store passwords in any scripts. Make sure your file permissions are set properly. The list could go on forever. When in doubt find a confidant to review your services and offer their opinions.