I hear one of the biggest reasons stated for using a VPS as opposed to shared hosting is the added security. But I have also heard of servers being brought down because a site that was hosted on VPS was hacked, and through it the whole server was taken down. Everything back till the most recent back up was lost.

So was this server badly set up? Is the additional security really sufficiently good to merit the extra cost?

A VPS security level is only as good as the vps administrator makes it. Basically a VPS server is a small dedicated server in the terms of how it functions. It is still your responsibility to secure and optimize your VPS.

The reason that site was hacked either could have been due to a poorly coded script or the VPS administrator did not secure the VPS properly.

Shared hosting and a VPS can have the same security level and again they might not. If you get a shared hosting plan then its up to your hosting company to secure the server and you have to hope they have secured it properly. On a VPS server is is your responsibility unless the company to got it from offer a service to you hire a server administrator to do this for you.

What if its a Managed VPS? Who is responsible for security of the server in that case?

Well it depends, there are many different opinions when you refer to the term "Managed". If they are fully managed then it is the responsibility of the company providing the management to a point. I say that because the account holder of the VPS could make changes themselves that could effect the security.

Thank you. Yes, in this case it was a managed VPS, and when the server was hacked the company got very angry with the owner of the site on the VPS as this had happened before. The last time they simply insisted he move to VPS, unfortunately it would seem that it was their own fault for not shoring it up properly.

Ultimately they asked for the site to be moved elsewhere, which now seems all the more unfair.

VPS does offer more security options than shared web hosting, but you are still in a shared environment. Very important distinction.

To the extent that any VPS might kill the host thus all the VPS's on that host, you are correct. However, you must ensure that your VPS is managed and secured, whereas in a shared environment it's the host's responsibility as you do not have that ability.

A fully managed VPS (ie. the owner doesn't install any software on the server, its all done by the managers) can be secured fully so its not the responsibility of the VPS owner.

But 99.9 % of the time, the owner of the VPS has the power to install software and scripts that can compromise the security of the VPS. So in that case, its a shared responsibility.

The host server security is always the reponsibility of the company that owns it, and they can't blame a hack of a hardware node on a VPS owner, thats crazy. A VPS can be fully isolated from the hardware and other customers for that purpose.

In a shared environment, you are never fully isolated from other customers so your security is always at risk. One other customer sending spam might blacklist your site just because you share the same IP. It might even cause legal trouble for you.

A VPS insulates you from the mistakes of other customers, but not your own mistakes

Even a fully-managed VPS will not always be fully secured by the host. The host will update and secure the hardware and make software updates that affect all VPS's. Beyond that it may take a trouble ticket from the VPS owner to have the host update and secure a specific VPS. You cannot depend on the host to do so without a request.

Of course, much depends on the virtualization software and associated control panel that's used.

A VPS theoretically has higher potential security, since you can update and secure the server as well as any virtual hosting provider can, and are not constrained by the security concerns that come from sharing a virtual server with other websites.