We generally don't have to even reboot for security upgrades (and when we do (for a new kernel or something), downtime is generally brief). We generally track the stable version of Debian Linux, which is one of the more stable / secure (ie conservative) distributions of Linux.
We do maintain our own packages (ie Apache, PHP) for certain software; in this case we patch software as soon as a vulnerability is made public.
Generally reporting an attack of some sort would be done via email, but we generally are the first to notice this sort of thing (since it usually causes other problems that make our pagers go off). While we try to prevent exploits, we would most likely swap out an exploited machine for a new machine (our system makes it pretty easy to swap out an entire web machine in a matter of minutes).
With a DOS attack, the response would also depend on whether the attack was distributed or not; obviously a DOS attack with one source is much easier to block at the router than a distributed DOS attack....
I think it's extremely unlikely that one of our providers would go out of business without at least a few months of warning; we've done one move recently (with fairly little downtime), so it would not be difficult for us to do it again if necessary. We're not going anywhere!