If you want something easy and fast to setup, go for WHMCS.
I personally prefer Blesta because you have control with the code (most of the code is unencrypted) and their API is fully documented with the models, etc.
It's not needed. Unless s/he needs SSL certificates on each website, or have high traffic (helps with site speed and crashing).
Set up Virtual Hosts with multiple domains.
It's only the VPS clients, so I guess they didn't start from scratch because of the shared hosting clients on their servers. I have a shared account there and it's functional.
I see you're storing MD5 passwords into the database, and then verifying them by a query.
You can easily use password_hash and then password_verify it when logging in (if PHP 5 >= 5.5.0), else use https://github.com/ircmaxell/password_compat.
Do you actually go and check each VPS for updates, etc?
I was thinking of creating a management (admin) portal that connects to all virtual servers via a SSH Key inserted into the template (with the user's permission), and can execute commands to multiple servers, monitor servers, configure...
I'm not sure about CSF. However, this mod_security rule might help. After multiple failed log ins in 3 minutes, they should receive a 401 Unauthorized error page.
# WordPress Bruteforce Protection
SecDataDir /tmp
SecAuditLogType Concurrent
SecAction...
I think it has some backend software, as the button's text (Issue Reboot, Issue Shutdown, Dropdown in OS Reload) is the same as the ServerComplete control panel.