This is exactly correct Tim.
As a company that hosts our own sites and clients, and manages clients elsewhere, the first line of security is the network and server itself. It’s why we use Liquid Web to host combined with a server level security such as BitNinja Server Security. Many hosting companies use Imunify360 etc. That probably prevents about 90%+ of the real threats.
Security plugins on CP and WP of course is helpful. It can help to catch what gets through and protect the login pages. But I see too many people loading up multiple security plugins, running into piles of conflicts, and then wondering why their locked out or their site doesn’t work.
The more security plugins you add to your site the more problems your going to have and the slower it will run - simple as that, and the more it will compound from there. You need one good security plugin (with ReCaptcha on the login/forgot password pages) and that’s it.
Honestly, security plugins don’t help much in an insecure hosting environment. I’m not saying don’t add a security plugin. What I’m saying is don’t load up on them. As Tim says, get a good host!