> It seems that the general concern they are getting from IT is that since WeBWorK is open source, it must be full of security holes.
Practically every web application is powered by open-source software in some way or another. If their assumption is correct, then why don't we see everyone using Microsoft or Apple as the OS for their servers? ;P
But as to your main points, downtime is always a risk, though if it is at all possible to have a remote management option for your server, the duration of any downtime can be greatly reduced. For example, our WeBWorK server is now cloud hosted, and I have had no issues being able to reboot the machine in case of any problems. If remote management is not an option, then as you said, assignment extensions are a natural remedy for prolonged downtime.
In these types of negotiations, I find it useful to ask about the specific security concerns that IT has rather than a vague generalization of WeBWorK being "insecure".
With regards to data security, WeBWorK itself does not require any information about students beyond their names -- though in practice, student emails and sometimes their university IDs may be present. In terms of data exposure, email addresses are usually considered public, leaving only their private IDs as "sensitive data". If this is a major concern, then it is easy enough to avoid their use.
Other fundamental security concerns can be resolved by implementing basic security protocols. Disable root login, using sudo for privileged actions; disable password authentication for ssh, using ssh-keys instead; check for and install system package updates regularly; and firewall all ports except for SSH and HTTPS.
Finally, security issues should be reported on GitHub. Then, when the dev team has resolved the issue, updates can be implemented with `git pull` and a restart of the webwork2 service.