PGP Universal is based on CentOS but it is not an "application" running on top of CentOS. We do the hardening ourselves. We do not install packages we do not need, we do not enable services that aren't needed, and we we set up firewall rules to restrict access as appropriate. There are no "users" of the system per se; you cannot log into the console and ssh access must be explicitly configured. The only way to interact with it is through the administrative web interface or through one of the enabled services.
With every release we run penetration tests and we regularly update packages to address vulnerabilities that get reported against those packages (e.g. in OpenSSL, DNS, the Linux kernel, etc.)
Regards,