DB security is largely dependant on the environment it is running in, on Azure we can lock it down so only webapps on azure can use it.
Otherwise we use long randomly generated passwords.
Our systems use a long, randomly generated 'code' for any cryptography that the system uses, whether this is for code you are sending to an external system or anything you are encrypting.
This means that to decrypt any data we have encrypted, a malicious actor has to get onto our server and have access to our most sensitive information already to be able to find the keys.
CMS passwords for your clients and for your own logins are automatically encrypted on creation, an administrator cannot ever view the passwords and we can also lock down access to changing passwords of members (visitors who may login to your website).
Umbraco already has the administartive logins setup for best practice passwords, but we can also alter it to only allow passwords of a longer minimum length and force other behaviours such as a minimum number of non-alphanumeric characters.
We can add 2-factor authentication for both the CMS editors and visitors with logins, and we can also implement custom authentication with 3rd party providers such as wsFederation, Google, Azure AD and others if you require external logins, we can even have both local and 3rd party logins operating at the same time with different access permissions.
Umbraco uses different systems for backoffice user authentication that it does for member logins (visitors with logins). This keeps the framework of authentication separated.
User permissions - You may grant certain permissions by login type, these permissions may restrict the media a user can access when editing pages, it may also stop them from publishing a page but restrict them to only saving it, with a heigher level user being notified and having the ability to then edit or publish the changes.
You may also restrict user access to only one part of your website's structure and they will not even see the areas or pages that are restricted from them.
The Umbraco CMS itself is tested for vulnerabilities every 6 months by external professional pentesters, but being open source also means that anyone looking over the code can submit a bug report on possible vulnerabilities.