if you don't have all the corporate security procedures and qualified security staff, then how do you do the security?

I think I am in the same boat as you; depends on data sensitivity.
Though here are some basic suggestions; that shouldn't take much time to enable:
• In portal.properties, review these props: any property with following words: "allowed", "https", "security", "required"; the default values make a lot of sense; though sometimes folks fiddle with them to work; and forget about the consequences; though I think you knew all these already; just putting out there for anyone new
• Using OpenAM for protection ( Liferay still calls it OpenSSO - but James Falkner has been on top of that) - Liferay has integration with it too; though it uses it just as SSO; so authentication not only thing; I would use it for authorization. At most basic, it lets you do two things: more fine-grained session detail policies, URL access control policies (and a lot more that would take up more time; both to write about and to implement.) I haven't use latest OpenAM; though I'm sure it's kept all the best features.
• Some advanced exception handling code; using AOP doing something like: if an exception occurs, log IP; and if that IP generates some more: ban the IP for temporary time; and instead show them a blank message page; and exponentially increase timer. You can have custom rules for the code too. I haven't done this but I've seen it done; not with Liferay but with other portals; I think it keeps the script kiddies away; though it won't secure application flaws; only way there is to get the EE!
• Getting involved in following effort: Liferay Community Security Team - https://dev.liferay.com/web/community-security-team

In my case, one of the possible options (If we choose to go with Apache HTTPD as front web servers) is using mod_security wth the most recent OWASP Core Rule Set. Unfortunately these rules need to be tuned before they can be used with Liferay - some of them block Liferay core functionalities like adding documents or using Control Panel emoticon Recently I decided to fork the original repository and keep my own synchronized rule set that work with Liferay - https://github.com/kgolebiowski/owasp-modsecurity-crs.

I think this is great project idea; I'll take some time to read about options; and hopefully implement it as well.

Do you have any experiences with mod_security and OWASP rules? Or maybe you have some other Open Source solutions for providing high-level security?

No I haven't worked with that mod quite yet; though as mentioned OpenAM does this: authorization / authentication.