I love the release progress of Sitefinity. Regular internal builds if you are looking for a fix before the next release and a steady march of new features. Sitefinity 8 is in beta and due out soon with all the 'What's new webinars' scheduled. A previous release, 7.2, had me impressed and ho-umm'd at the same time. When the 8.0 feature list came out I was interested to see if it would have me rushing to upgrade.
Sitefinity is secure platform. It is PCI and FIPS compliant in all areas where user credentials are stored but there are some things still left in your hands to ensure it is secure. Password policy is one area that you are in charge of. Passwords are pain. If we use something we can remember it is weak. If we use something secure its hard to remember. And what some sites require for a strong password are often not that strong.
Sitefinity uses a In Memory cache. It is an implementation of the Enterprise Library Caching Application Block. This works fine but its a bit slack when in a multi server environment. You are effectively caching the same data on every server and thus, I think, a bit redundant. But you can create your own implementation of the CacheManger using the ICacheManager interface. I have done this and used the Azure Redis Cache, a leader in distributed cache systems.
Without doubt you should be using the built in cache features of Sitefinity. The difference is significant if you don't. One of the first tweaks is to extend the time in cache for objects. But there are a few more improvements I have found from browsing the web and I have put them together here.
I recently had a requirement for Sitefinity Ecommerce to supply free shipping for orders over a certain amount. Along with that, it needed to be turned on and off for promotions. This feature isn't supplied out of the box with Sitefinity so I had to write an extension.