That is a big chunk to bite off.
First, I would determine if you want to host the SQL yourself or cloud hosting.  Depending on the required uptime (which I think in your case would be 99.99999% or higher), I would be looking at cloud hosting.
Microsoft Azure has some stuff that is pre-configured and ready to rock.  But it is not a free solution; I imagine you will have a hard time finding free cloud hosting of SQL server.
I am assuming you want free/cheap as you are using SQL Express.  Are you aware of the limitations of SQL express though?  I think if you are moving from client-hosted to cloud hosted, you are going to want to upgrade to at least SQL Standard if not enterprise.
As for security measures, that is something that you, your company and your customers must agree on.  As this would have tons of different clients, getting AD authentication will be tricky and I imagine you will be using SQL Authentication.  You might be able to get by having 1 instance with multiple databases (1 per customer), but there is risk with that.  The alternate solution is to have 1 instance per customer, but then you are limited in the number of customers you can have as each one would need its own TCP/IP port.
For backups, that is more up to you.  How much data are you willing to lose in an emergency event such as the cloud host goes offline permanently without notice?  I would recommend having some offsite storage for your backups that is hosted on a different cloud or 2.  Depending on how much data you are OK with losing will determine how frequently you do backups.

Hosting things locally puts the control into your hands, but has the higher costs as you need to set up windows failover clustering and some flavor of HA/DR in SQL.  If you aren't running SQL Server Enterprise, you are very limited in any HA/DR solutions.  DH2i offers one solution that I have used and recommend, but I am sure there are others.  

Something to keep in mind though is that some companies who use your software might not like their data existing in the cloud and it adds alot of responsibility onto you both on the technical side and on the legal side.  Hypothetically, what would you do if somebody hacked your database and got all of the data for all of your customers and leaked it publicly?  What if something happens to your cloud server and you have unexpected downtime?  Would all of your customers accept 24 hours of downtime in which you can do nothing but sit and wait to hear back from the server hosts?

If this is the path you wish to go, I would first figure out your budget, do a little bit of research into what you can all afford to purchase with that budget, and then figure out what liability you would be accountable for.  Then I would double the budget (as budgets can explode unexpectedly) and I would highly recommend hiring in a consultant to help with this.  

I think the biggest take-away from this is get a consultant.  That is a HUGE project and if you have no subject matter experts on site, a consultant would be the best use of the money.  I expect this to be VERY expensive and VERY time consuming to complete.