Not sure I understand the question.
Are you just talking about the relationship of a user and their host, or the users' clients' also?
Are you meaning, how much should a host be responsible for the actions of the accounts that people have hosting with them, and in turn, the protection of that information of their clients?
I know for when we were running a hosting company, we ran several vulnerability checks on behalf of our hosting clients and passed that information along to them. We were also involved heavily with PCI Compliance, so we had version scans that ran on a server level and we also extended those scans to our client's individual accounts too.
But when you start going 3 levels deep, that really can put a lot of taxation on your own resources needed to execute scans and investigations. I guess it all depends on the pricepoint of services at that stage.