This assessment was interested. Mostly because I noticed that the client didn’t implement any kind of policies and an Privacy Officer. For me this is something that shouldn’t be overlooked. Policies and Privacy officer should exist and follow best practices and laws according to GDPR and other regulations. This is not only to avoid the fines, but also shows to the users that you know what you should, or you shouldn’t do with their data. They will be confident and understand that you care about them.
While I was checking the Security checks report for Moodle I also noticed few things I could improve such as hiding/deleting sensitive folders and/or files.