I think it's safe (er... excuse the word choice) to say that no site on shared hosting is "completely safe" and only servers run by the very savviest admins will resist a determined attack.
Quick question: if you want to sign into your site (SSH, FTP or admin interface), do you have to be coming from a specific IP, use SSL/TLS and be on a specific, but non-standard port? Probably not.
I recently read an article by a guy who ran a site dedicated to fighting server attacks, so they essentially had a big target painted on their site. They endured a significant attack almost every day for years without bringing the server down. In order to achieve this, they created their own server stack that was locked down in all sorts of ways that your average webmaster would find intolerable.
Safety and convenience are always at odds... and most CMS and their server setups are designed for be convenient first.