Removing the ability of anonymous users to do things like post comments is one of the next steps.
There shouldn't be that many 777 directories any more. The main cache one, plus some modules require them (something I would like to see go away). Make sure there is a read-only index.html file in each of those directories that forces users attempting to directory browse back to the page they came from.
A hosting service that runs an apache instance for each hosted site, with it's own user id. Most don't do this, instead all the hosted sites run under one instance of apache that use one user id -- meaning any chmod 777 directory can be written by somebody else's site.
Be careful of add-on modules.
Watch your logs.
Anybody setup tripwire for a XOOPS install? That's one of the things I'm looking at.