As you've pointed out, plain text data in the web.config can be a compromise, but you can encrypt most sections there (using aspnet_regiis if you have console access, or in code if not). My understanding of this is that it is not bulletproof if they have write access to your web folder (they could either repeat the same process to unencrypt, or drop in some code), but eliminates another bunch of vulnerabilities (at least now a would be attacked has to be even more savvy, and have even more permissions that they shouldn't have). I think key here is to find a host that you can trust.
More generally, I'd say it really depends on the sensitivity of what you're trying to secure. You should consider that someone already has access to your database, and consider the risk of them having this. Thus most payment providers won't necessarily encypt your address in their database, but will probably encrypt your credit card details. You could encrypt all data in your system, but the extra overhead (both in terms of cpu cycles, and inability to maintain the data in absence of decryption) means you need to balance this.
But in general, find a reputable host, get an SLA of sorts that clearly states roles and rights (and your rights should an employee abuse), and then do a risk analysis of sorts to establish the risk if someone had access to your data, literally on a column by column basis. This would vary from no risk to lost reputation (e.g. your customers lose some trust since your privacy policy isn't accurate because some script kiddy has just posted your customer details on a spammer's ebay), to lawsuits or jailtime (said script kiddy stole 100s of millions from your customers), and likely a whole lot inbetween.
When you get into lawsuits and jailtime risk, you probably want to outsource that to experts in security, such as payment providers, and make it their problem. Make it their job to prowl the hackers forums to find the latest vulnerabilities, read Bruce Schneier's latest papers, and so on.
After having just re-read your question, I realise that this doesn't necessarily speak directly to it 
. Once you've encrypted encryption strings, and have implemented the security features in asp.net, and have encryped the most secure data, the rest really lies with your host. They need to secure IIS, protect your folders from unauthorised access, and so on. Since they've taken this on as a service (their offering), I'd generally presume that they're doing a better job than I would. If I was an expert in such things, though, I'd probably get dedicated hosting, and configure the server myself.
The high road might seem longer at first, but you'll enjoy the downhill at the end...
http://blog.benhartonline.com/