1) Most of the vulnerability deals with applications such as blogs and forums that do not get updated by the end user. Cpanel has nothing to do with security issues.
As a user it is their responsibility to ensure they keep up on the security updates of their applications on their site.
2) I myself have never experienced these issues. Surpass takes security seriously from what I seen. But as mentioned, it is still up to the user to make sure their site is updated with patches.
3 and 4) Neither of these should be a problem, just put in a ticket at
http://desk.surpasshosting.com and ask them to transfer everything for you. You will have to supply them the domain name, username, and password of your account at the other host. In the end, you will see your site, stats, email just like it was at the other host, but you will be at Surpass
Cpanel makes transfers easy.