The last one is one of the signers and it's a physical server in a secure location that we have visual access to 24/7, so it can't be tampered with.
Did you mean physical access? Or does this mean there's a camera pointed at the server?
I will also change all servers and rotate providers once in a while just to be sure.
When you move a server to a different provider, do you also create a new multisig (so the privkey/seed from the retired server is no longer valid)?