Their documentation in the Linode Library is also really great -- as a starting point. Assuming that they're using the same guides in recommending server configuration, there are some things that could be done better by a skilled admin. e.g., their LAMP server guide for Debian 6 doesn't include suexec or any variation of FastCGI, two must-haves for a public-facing web server IMO.
Of course, they could have handled security internally better but I suspect other VPS providers appear more secure only because nobody has gone out of their way to target them.
The takeaway is that now, while I don't know if I can trust other VPS providers or not, I know I can't trust Linode. (Hell, to some extent, I trust HTP more than Linode now -- I haven't seen a dump of the Linode data on pastebin or a .ru forum yet.)
How a business handles disclosure of a compromise is as important to me as the fact that they were compromised. Notably, this is the second time they screwed up disclosure, after being raked over the coals for it the first time. I was willing to let the first one slide since Linode is so awesome in every other regard, and hope that they would handle the next incident more gracefully. Unfortunately, they didn't.
FWIW I'll be finding a new host, I just like to play devils advocate to balance discussions.
People need to stop excusing this sort of behaviour from companies.