If you want to lock down the login the easiest way (besides using a nonstandard admin user with a good password) is to rename wp_login.php and write a little plugin that changes the login URL to point to the new file. There's actually a hook for that. That way all brute force attacks will get 404'd by Apache without the WordPress core getting involved, which saves a ton of resources. In case someone mounts a distributed brute force attack on you this might mean the difference between somewhat elevated traffic and the server going down. (Yes, that happened to us already. Renaming wp_login.php took us from base load of 6 with spikes of 120(!) to a base load of 1 with spikes of 3. Login limiters and fail2ban weren't nearly as effective against distributed attacks.)
XML-RPC should mainly be disabled because of pingbacks; not too long ago these could be exploited to make your site participate in a DOS attack. XML-RPC itself not a significant security risk these days. You can go for a more nuanced approach by only disabling the functions used for pingbacks (there's a hook for that too) but if you don't need XML-RPC it might be easier to just rename or delete the entire file.
Trackbacks should be disabled because of trackback spam. Yes, you can install plugins that help you deal with it but - seriously - pretty much no Wordpress-as-a-CMS user cares about trackbacks (or pingbacks, for that matter) in the first place. Disabling them means fewer hassles.
Again, these days the biggest security risk are badly-written plugins. We once had an infected WordPress where it turned out that the attacker never compromised any user account. They didn't need to because a plugin allowed them to execute PHP code on the server. They just injected their attack code directly into WordPress and could do whatever they wanted, such as displaying dodgy pharma ads without even touching the database. That's the kind of danger unreviewed plugins pose.
WordPress can be quite capable when managed correctly. Just don't make the mistake of assuming that you can just install a plugin and get new functionality without any risk. Badly-written plugins are common and they can screw you just as much as an insecure admin account can.