We've been doing a lot of work recently building a best practice guide on security and wanted to be able to send our clients a simple list of principles that are written in plain language. 

1. There is Safety in the Herd: Leverage large, well maintained open source libraries (packages) with a critical mass of users and developers. Use compiled packages and check data integrity of downloaded code. Start with OpenBSD, Debian/Ubuntu or RedHat/CentOS WITHOUT cPanel.
2. Order Matters: Don’t open up services to the Internet before your server is properly secured.
3. Limit Exposure: Only install and maintain what is necessary. Reduce the amount of code installed. Review server configuration regularly to see if it can be streamlined.
4. Deny Access by Default: Only allow access where it is needed, and make all access policies deny by default.
5. Use Well Known Security Tools: There are several well supported libraries that limit exposure, and check for intrusion. Use them on your webserver.
6. Avoid Writing Custom Code: Even large government departments don’t invest properly in regular, ongoing code reviews.  Minimize the use of any custom code.
7. Contribute Back: No software is ever perfect. There is always room for improvement. Make the code you use better and then give your changes back to the community. An added bonus is that if you do it properly you will get free peer review and maintenance support.
8. Limit Access: There need to be clear, documented roles of who has access to what. Only use root access when required. Isolate distinct roles where possible. Everyone with access needs their own account, shared accounts are insecure.
9. Make Your Application Happy: When running smoothly your server should not be generating errors. Monitor your server then investigate and resolve errors.
10. Document Everything: Make sure you have an overview of any customizations which may have been done or any additional software that may have been added.
11. Limit Use of Passwords: Have sane organizational policies on password requirements and use passwordless approaches which are less susceptible to brute force attacks.
12. Don’t Trust Your Backup: Define, review procedures and do test that you can restore your site regularly.
13. Obscurity isn’t Security: With Drupal we recommend actually leaving the CHANGELOG.txt file visible so that it’s obvious that you are up-to-date. For any software you use, know how to watch for security updates so you can apply them in a timely manner.
14. Security is Big: It is a mistake to assume that one person can do it well in isolation.  Having access to a team (even outside of the organization) will help.
15. Remember, You’re Still Not Safe: Have an audit trail.  If your site is compromised, take the time to find out how. Use proper version control for all code and configuration.
16. Not Just for Techs: Upper management needs to take the time to understand these general principles of IT security as they have profound implications to the work of the whole organization.

Thanks Colan for your additions. I'm looking for other suggestions to improve this document, so please feel free to reach out on Twitter to @mgifford.