These are great questions!

Regarding your pressing matter of the security patches: At Creatuity we usually quote an hour, but its frequently much less actual billable time (like 10-15 minutes). It's time/money well spent, as we have seen situations where sites where attacked through known security holes. Being proactive is a worthwhile expense. Keep in mind that establishing a long-term relationship with a company will ensure they can do work faster on your site, since they aren't having to 'get up to speed' each time. So an initial quote from someone new might be higher.

Regarding how to feel confident in your developer/agency when you aren't technical: Let me begin by saying that I'm not a developer myself. So I absolutely understand being in your situation.  I think that its important to try to establish a long-term relationship built on trust, open communication, and fairness.  This is a two-way street - I've been on both sides and can tell you that trusting a developer/agency takes both parties active participation in the relationship. Open communication is critical to establish realistic expectations, and ensure you are 'on the same page' about what a successful relationship looks like. Everyone values different things - some clients are solely cost-centric, others need things delivered super quickly, and like in your case, sometimes trust is the most important factor. Naturally you can vet the partner through references and/or other community members, and definitely ensure that the actual developer performing the work is a Magento Certified Developer (via the Certification Directory).  But beyond that, it becomes "fuzzy" on how to know if you can trust someone.  It's almost like dating - you have to take an initial leap, but take it slow, while communicating very clearly and openly about expectations. 

You should expect clear communication back from the developer about why things are complex, or whatever you particular concern is. If you aren't getting enough information to feel informed, ask again. You shouldn't be afraid to ask direct questions- I find honest people are usually very eager for you to be direct, so that they don't have to try to 'guess' the real concern. When someone asks me "Does Creatuity outsource development?" I am eager to say "Absolutely not." It's the truth, and we have nothing to hide. If you fail to ask the questions that are important to you, no matter how awkward, then you are missing a critical opportunity to save yourself some surprises later. Now if they iie to you, then of course that's an entirely different scenario. If that is what happened here, I am so sorry, and truly hope you can find someone that is more honest. There are certainly "lots of fish in the sea", so don't let one bad experience ruin it for you.

If you have ever made hiring decisions, you know how difficult it is to judge integrity from a job application. That is essentially what you are trying to do looking websites, portfolios, and partner directories.  It will take a lot of extra work to get to the point where you actually feel like you can trust each other.  Sometimes it also just takes time working together slowly, cautiously, and openly. Almost like what you would do a probationary period for a new employee. There's absolutely nothing wrong or impolite about being cautious - we all understand how tough it is to build trust.

By the way, I wrote a blog article awhile back about questions that I would recommend asking a potentional Magento developer or agency: http://creatuity.com/2014/04/09/questions-potential-magento-development-firm/

Let me know if I can answer any other questions. I hope this helps in some way, and really do wish you the very best in finding a partner you can trust.