something that I think that everyone should consider is installing tripwire or aide to perform intrusion detection. these will scan the sensitive areas of your system for changes and alert you to them by email so that you can tell immediately when the system has been tampered with. they should be setup last. they are the
only way to find out whether you really have done everything necessary to keep the box secure. the oreilly book Linux security cookbook explains how to do set them up - and the tools and techniques are applicable to FreeBSD (or solaris or any other un*x).
i agree that saying up to date is important - but i would feel uncomfortable leaving the src and
compilers around on an Internet facing server at a high risk organisation such as a bank. it is best not to give an intruder any tools for them to brake further into the organisation. it is likely that a cracker is coming in using a different OS, kernel, hardware or distribution; so why give them everything they need to reconfigure your box to their liking? i am lucky enough to always have spare kit that is identical to the
production kit that is used as the build box for this reason. if this was not the case i would move just the src and compilers onto an encrypted partition using something like cryptoloop.