Security has LAYERS
First layer is the server, second is the code, third is the admin and their behavior, fourth is the eventual user/site visitor and lastly the devices involved in managing/visiting the site.
To be REALLY secure a site needs to implement security on each level. Having a SAFE code on an unprotected server means no security.
However, even the most secure banks can get robbed. This requires the robber having information about the bank systems and the resources/time to circumvent security levels.
That is why systems with high security risk do update/change their security systems to adapt to threats.
Fact is that telling someone “you do not need security at site level” - is detrimental. You do not know their setup. you do not know the server level (are they on a crappy shared because it’s all they can afford? did they spun their own? are they on a big badass secure server?) or the code (did they tampered with the code making it more vulnerable?) or their visitors/users behavior is risky? or the devices involved is not secure? (devices, even a server, can have faults leading to threats). And even knowing their setup, it’s risky to put out there such a laid back advice IMHO.
Proof is that even sites we deem SECURE get hacked, breached and data is stolen/damage is done. Even when they implement security measures at each level.
This because we are humans, and if s*** has to hit the fan it will (Murphy’s laws are real). Acting without a care in the world will only help that.