By default, the latest version of WordPress is pretty darn secure. The click now development team of WordPress has considered anything that might have been added to any fix wordpress malware attack plugins. In the past , WordPress did have holes but most of them are filled up.
Don't depend on your Web host - Many people rely on their web host to"do all that technical stuff for me", not realizing that sometimesthey don't! Far better to have the responsibility lie with you, rather than out.
Yes, you need to do regular backups of your site. I recommend at least a weekly database backup and a monthly "full" backup. More, if possible. If you make additions and changes definitely more. If you have a community of people that are in there all the time, or make changes multiple times a day, a daily backup should be a minimum.
You can extend the plugin features with premium plugins such as: Amazon S3 plugin, Members only plugin, DropShop etc.. I think this plugin is a good choice and you can use it at no cost.
Always bear in mind that the security of your blogs depend on how you handle them. Make sure that you follow these strategies that are simple to prevent exploits and hacks on your own blogs and websites.