And so you will need.
1. since different engines, and especially old ones, you need from hosting
a) php5.2 (if there really is something for it) php5.3 php5.4 php5.6 php7.0 php7.1 php7.1 php7.2 php7. 3 php7.4 - FastCGI or mod_apache, while 5.2-5.3 will have to compile their tarballs, since they are not in the repo
b) php7.0 php7.1 php7.1 php7.2 php7.3 php7.4 - PHP-FPM - these with all kinds of representations by one command.
c) nginx + apache - since in old sites it is insanity to rewrite .htaccess to clean nginx + FPM.
d) I would say that virusdie is connected to every site, but they rebranded and raised the price by 100 times, so don't dismiss me.
however, something needs to be done with viruses,
so what
will we do with viruses
1. su_exec on off for the site - disables the exec function for old sites, it is usually not needed.
2. there is no point in setting open base dir.
3. we need an instant rollback system for old sites, it is possible to simply roll a backup once a month (if the sites are already static) it is cheaper than dealing with each of them all the time.
4. Take a large file storage or Yandex cloud or hetzner there cheap 10 TB of storage, mount them via clifs and backup everything there once a month, delete every 5 years, also by crown.
a separate folder for the site, which is always cleaned from viruses, and if the site for some reason pissed off, then you need to have a very old backup in addition to the usual ones. Preferably somewhere else.
5. old sites should be able to disable mail, this can be done through the Apache settings, the main thing is to bring it to the face.
something like
disable_functions=exec,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,parse_ini_file,show_source,mail,apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login_putp_f, ftp_f, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, syslog, system, xmlrpc_entity_decode, mail
it would also be nice to collect in a log file which specific files send spam and from which line, since this will constantly cause bans, so you will need to monitor this.
mail.add_x_header = On
mail.log = syslog
In this case, directly into the syslog, but you can also into a separate file, well, into its monitoring.
You will also need to monitor the mail queue, with sharp peaks you will need to respond.
You may need curl mpdf zend_optimizer (php 5.2) zend guzrd_loader ( 5.3) ioncube.
and similar special topics.
personally, I collect all this on ispconfig 3
plus the nginx module, plus my own custom.
600 sites flight is normal.
It would also be nice to connect some kind of antivirus and scan the system for something like ai-bolit.php or web services.
BUT you definitely need to have a quick rollback function, and for very ancient sites, you can break them so often that all of the above will not help much.
for particularly asshole sites, you can translate them into html
hosting must support letsencrypt and you also need to monitor that certificates can be issued, as a rule, in 99% of panels, if at least one of the certificates is not issued, the rest will not be issued.
I can suggest vestacp
braynicp
biyrix vm
all of them are installed with one click, each has its pros and cons.
Well, or as an option
yandex in kubernetas has the ability to host html sites for free, and for php to do vps, there you can make backups of slices, and mount a local storage.

What is in fashion today, all sorts of dockers, kubernates, etc., or in which direction to dig

I would forget about fashion and K8S.
To really be correct and safe, you need to update everything. But something might break during the update.
Therefore, the minimum program (IMHO):
- backups, backups, backups
- close all unnecessary ports
- SSH - only by key
- delete users fired over these ten years, change passwords to "serious" for the remaining ones
After that, slowly try
- update everything what happens
- separate users and file permissions

Are you fashionable or safe? Dockers and kubernetes are fashionable-stylish-youthful (just like "clouds" used to be), but if they don't fit into the task, there's no need to drag them there.
If it is still safe, then:
- first, a full ( full!, that is, including all the old servers without exception) backup - so that there is somewhere to return.
- then identification of all existing users and everyone who is unknown - in a ban
- for everyone who is known - change passwords
- If possible, restrict ssh by ip and switch to key authentication.
- checking all services sticking out outside and shooting off unnecessary ones
- gradual replacement of all engines with their modern versions, muscle update

Which engine to use for a site is determined by the functionality of that site. Somewhere simple HTML is suitable, somewhere more is needed.
General security considerations have already been said to you, and I agree with them. Although the previous authors did not say anything meaningful about the engine - well, in the first phrase I justified why they could not advise anything: there is no information.
Although the degree of site isolation also depends on the task.
In some cases, you can not isolate at all, but run virtual servers within Apache - IP-based or DNS-based. At least this is normal for static sites in plain HTML (although JS, Adobe Flash and other programs running on the client side do not change anything here). But you have MySQL, which means that server-side scripts work, but they need to be isolated. But how exactly to isolate - depends on the task.

I would raise a kubernetes cluster, and dockerize one site at a time and deploy it in k8. And then I just put out these unfortunate servers