If this is indeed the case, please can someone provide a full list of what other measures must be carried out to ensure rock-solid security.
Fair comment, but I think we need to get things into perspective here. As developers its important that you know what you are doing - that's your duty to the client who is paying you as a professional.
Security Assist is a fantastic tool in that it helps to automate the page side tasks of security. BUT, it will not fully secure your web server.
Further steps need to be taken to lock down, hide directories even install SSL if you are securing really sensitive data. Have you considered your permissions on your MySQL database?
I'm no PHP security guru, but I've done alot of reading in the basics of securing a web site - which to be fair I would expect from any developer as a paying customer.