The way I see it, you should never rely on a vendor for security. Whether that is Microsoft or Barracuda, ultimately all vendors systems can be hacked, so it is your responsibility to plan for the worst.
First map your data flow. If your database isn't for your website, it should be isolated from the outside. VLANs are great for this; isolate your data to its own network that has no outside access. Even a web db, shouldn't have web access, your web application can request data from your db network, but that should be the only thing able to connect to it. I know a lot of applications are primitively written and can only work within the local domain, but that really exposes that your application is badly written and probably has other security flaws.
Second, talk with your software developers. I did a data migration from D3 to SQL a few months back and the software developer wanted me to expose my sql data port, so he could easily connect to my DB. I nearly choked on my yogurt. A VPN obviously was the better option. Nonetheless, a lot of software developers will do questionable things because they don't want to disturb what they perceive as your business environment, in other words, they work around the problems. Ask your developer how their software works, and ask them what they think is the best method. Often they don't really know, but sometimes they do.
Third, patching is an ugly but necessary task. Schedule one Tuesday every month to test patches. I can't count the number of times that security patches have broken my apps, so you must setup a virtual environment and test those patches before you role them out. You can't wait and say, "I will do it Friday or next week", just set aside that one special Tuesday for testing all patches M$ or other. Unless you are the middle of a data recovery, you should have time.
Your biggest threat isn't the single hacker, it is the many. I see Chinese net cafes sniffing at my walls every day, while 99.9% of them are amateur script kiddies who couldn't crack a flash app, that .1% is still pretty numerous. Look into multi-layered defenses. OpenDNS and similar services will help stem the flood, but then follow that up with a properly configured firewall. Don't trust your users, so filter outbound traffic as closely as you do inbound. Make sure the individual station is secure and I don't mean installing anti-virus apps. If the anti-virus app is successful, you have failed at your job. If you can, lock down user's stations and require them to store everything on a central file server. You should be able to blow up the users computer and restore them to a new one, without them being able to notice the difference.