I am about to deploy a web application (in a couple months) with the following set-up (perhaps anyways):

Ubuntu Lucid Lynx with:

1. IP Tables firewall (white-list style with only 3 ports open)
2. Custom SSH port (like 31847 or something)
3. No "root" SSH access
4. Long, random username (not just "admin" or something) with a long password (65 chars)
5. PostgreSQL which only listens to localhost
6. 256 bit SSL Cert
7. Reverse proxy from NGINX to my application server (UWSGI)
8. Assume that my colo is secure (Physical access isn't my concern for the time being)
9. Application-level security (SQL injection, XSS, Directory Traversal, CSRF, etc)
10. Perhaps IP masquerading (but I don't really understand this yet)

Does this sound like a secure setup? I hear about people's web apps getting hacked all the time, and part of me thinks, "maybe they're just neglecting something", but the other part of me thinks, "maybe there's nothing you can do to protect your server, and those things are just measures to make it a little harder for script kiddies to get in". If I told you all of this, gave you my IP address, and told you what ports were available, would it be possible for you to get in (assuming you have a penetration testing tool), or is this really protected well.