SSID cloaking tends to reduce security rather than increase it
If SSID broadcast is enabled then the clients configure themselvs to listen for it. If SSID broadcast is turned off then each of your wireless clients walks around the city calling out for the router. Even the fearsome script kiddies have the basic tools to spot an unbroadcasted SSID. As a result, not broadcasting your SSID increases rather than providing any security benefits. One could always use a randome string of characters rather than "bobsbusiness".
WEP is that critical an issue. If there is hardware that only supports WEP forcing the router to be left unsecured with it then the company needs to decide how important that bit of hardware on wireless is. Popping WEP is a five minute job, faster for those more capable than a kiddie. If it is the router that only supports WEP then it needs to be replaced as a business expense or the wireless turned off.
Physically securing the server is definately high on the list of things to do like you mention. changing default names and passwords along with selecting strong different passwords is also top of the list for a router config.
Automatic updates can go either way. One school of thought is to not let Redmond choose what updates go onto business machines where the other one is that the updates come from MS so if they are broken, your screwed anyway. I wouldn't automate my home machine updates but I do manual checks regularly too. For a small business, basis windows software update server is a free app and will easily manage your network updates from a central place.
