I can’t remember what plan were on. But this can be Enabled/Disabled manually. Or can be triggered for certain rules (if I recall correctly). Cloudflare is known for that loading screen and we were totally off-put by this until we realised it wasn’t a mandatory feature.
I’m not familiar with Lynis. Because of the size of our company, we have an Enterprise Grade Hosting Service that utilises security measures (that we don’t have to micro-manage). Plus, we also have an external auditor run through checks so that we remain PCI Compliant. A lot of the stuff I can’t get into for obvious reasons (e.g. NDA).
One thing I would definitely look into though is a File Integrity Monitor. It can be setup to notify you if any FileSystem changes are made (e.g. Magento directory). That way, if your server was ever compromised then you’d know about it. Having said that, I believe most Magento compromises are Database related anyway, so a FIM wouldn’t help with that.
I don’t want to turn this into a Security Post as it’s off-topic to the original title… But Official PCI Security Standards Council Site has some really good (if not overwhelming) documentation to help highlight what boxes you should be checking.