If I were starting over again right now I'd put a lot of focus on mobile devices (tablets and phones).
In my book a hardware firewall is a must. And get yourself an IDS. There are some open-source intrusion detection systems. If you plumb your site with a GeoDNS database you can block easily entire regions. I run some content sites and we spend 20+ hours a week on DMCAs.
Why do you need a CMS if you're a one person shop? In my mind, you only need a CMS when you get over ~4k pages or have more than 12 editors. I guess it depends what you're doing.