I am on a "managed" VPS server, but it seems as though the responsibility to securing the server is still up to me. I was several versions behind on cpanel and I had to notify them about this in order to upgrade. I have since figured how to do this myself and began a trial & error on other security features.

Firewall
I enabled the default Virtuozzo firewall. Blocked access to everyone (except me) on:
SSH
FTP
..is this firewall good enough?

FTP
Recently I came across a post on this board about the WinSCP client. I ditched my Cuteftp and now exclusively login under my SSH port with WinSCP and using a private key.

Cpanel
Many say the only way to secure this is to dump it altogether, but I prefer it. I find it very easy to use and I disabled all non-necessary applications to lessen the chance of an attack (and to save the load on the server).
I periodically check for new versions & upgrade immediately after I find them.

I also tried to block access to the cpanel port to everyone but me (through the firewall), but I got hundreds of failure notices in my email box the next day, but the site never went down. I'm sure the best place to ask is the CP board, but am simply curious if there's another way to disallow anyone but my IPs access to it.

Apache
I am running 3 versions newer than PayPal. I've decided I won't migrate to 2.0 until they do, for fear of breaking some of my applications. (If they're secure enough to hold millions of credit card numbers.. I figure I'm safe too. And no I do not store CC#s :) )
FYI: I am on 1.3.39
PayPal: 1.3.33

Scripts
I upgrade script patches immediately once security fixes are released.

Passwords
WHM and Virtuozzo both login under: root
Does this matter?
I periodically change the passwords to stuff like 65ds4g5HUFHU89384

Blocking
Periodically I check my logs and block suspicious IP ranges (mostly those that are outside of the areas I prefer to work with) I realize this isn't fool-proof, but it's better than doing nothing.

What else can I do to heighten my VPS' security?