If you care about your Google ranking and don't mind the cost of an SSL cert ($75 to $200 annually), moving to HTTPS can make sense.
What you as an organization or company should budget for Drupal website support really depends on your circumstances. It depends on how you define "Drupal support" and the size and complexity of your site.
Deleting is a very permanent activity, and restoring deleted content can be a cumbersome process. So, should you allow your website users to delete content?
The Drupal security team publishes security updates to Drupal core and contributed modules. Do you need to actually test these official security updates?
When we work with a new Drupal support client, we often ask for a small number of hours both to acquaint ourselves with the specific configuration and to implement some best practices.
Google search prefers mobile responsive websites for optimal search results, but you might need to evaluate your business needs before redesigning your Drupal website.
Many of our prospective clients who relate how their current vendor didn't work out, have had a common set of support failures.
When Drupal 8 is officially live, the Drupal security team will supply security updates for Drupal 6 for six months. You'll want to plan your upgrade to coincide with that timeframe.
While you can make many changes to your production website, you probably don’t always want to publish every possible change for the entire world to see.
Your website could be susceptible to Drupal vulnerabilities if you do not follow Drupal security best practices, and implement them quickly.