You don't need host security if there is nothing to be kept secure - no client funds on the server, no personal data. With a fully trustless exchange you don't trust the server with *anything*, so why care at all of it is secure?
systems security and host security are also different as it covers business systems and processes and not just a server. In yout reddit post you say the following about a gateway;
As shown by gmaxwell/nullc, you can do zero knowledge proofs of summation of user balances to get clear knowledge about their liabilities, and they can publish bank statements to show that they have enough assets to cover a bank run.How do you determine if a gateways published bank statements are legitimate or forged?
request a certified return -- essentially a sword statement as to the truth of the facts