In case that it helps...
At Tacticat we use a not-too-old version of PHP-nuke as CMS.
No hacking so far, after some 18 months. Nuke is not Joomla but it works for us.

No firewalls, the only precaution we've added is to restrict the web site to russian and another country IP addresses (can't remember which other country). No russian sailors at Tacticat.

We're being probed everyday and have had a couple of DoS (Denial of Service attacks) that were solved by our provider.


Maybe we are just lucky (crossing fingers).

Amando.