The Joomla folks are pretty serious about security issues. Their security people make up the Joomla Security Strike Team.
As with most any other server application, the two most important things you have to do in order to maintain security are proper configuration and prompt updates.
For proper security configuration, she should become very familiar with the Joomla Administrators Security Checklist.
Joomla had two known security vulnerabilities fixed at the beginning of November. Joomla 1.5.8 includes the fixes.