You'll have to split your question up, a secure system deals with:
- Server environment
- Custom modules
Orchard has no known issues, but you'll have to look into password complexity rules
The server hardening is up to you,remove unused windows services, IIS modules,firewall settings, DB encryption, etc
Custom code and 3rd party modules are also your responsibility, for example the Contrib.Profile has some huge security leaks by default
And a secure system can become insecure by your users.