Pretty much any BYOD provider can easily beat that, but you’d be on your own for configuring it.

No, but password strength matters and you’re 1 weak password away from thousands of dollars in fraudulent calls. So, make sure all passwords are long and strong.

Use a random port, not the default or one of the common alternatives. This is not security and will not keep a determined attacker out, but it will cut down on all the noise from blind internet scans.

Enable a firewall and use fail2ban or similar to ban brute-force attempts.

Enable call limits, such as prohibiting international calls and limiting the number of calls per hour an extension can make.