In this case they didn't want to spend the money and opted to send through a personal email. I do agree that it would be better and have been trying to convince them get it set up.
RSfirewall! has worked well so far. I've been hacked on three different sites so far and I needed a solution. This notified my when someone is attempting to hack my site (it happens WAY more frequently then you would expect).. then I can black list them. I have also locked down my site from updates and added a second master password to my administration log in.
From my experience, having regular backup is the best approach to tackle the hacking attempts and keeping extensions updated to latest versions.
i usually scout the respective developer forums before updating the extension, that gives insight of any problem the new version may be having. If you use JCE editor, its best to update to latest version, one of my friends site got hacked coz of that.