I'd add some of the relevant things from security strategy over the past 20 years, like "log lots of stuff".
There are many things which help availability (backups, easy deployment, tests, etc.) which also help security. If it's relatively easy to push an update, it's a lot more likely that you'll be able to rapidly respond to a vulnerability, or will have pre-emptively updated away from a vulnerability.
The most interesting things I've found recently have been in the "we can't touch that because we both don't understand it and because it's not working" parts of a complete site.
I'd add some of the relevant things from security strategy over the past 20 years, like "log lots of stuff".
There are many things which help availability (backups, easy deployment, tests, etc.) which also help security. If it's relatively easy to push an update, it's a lot more likely that you'll be able to rapidly respond to a vulnerability, or will have pre-emptively updated away from a vulnerability.
The most interesting things I've found recently have been in the "we can't touch that because we both don't understand it and because it's not working" parts of a complete site.