security
Security is an crucial part of every application. Unlike a business feature, it's never "done". You constantly have to have this topic in mind. Even though, it's a good idea to review the current setup with the owasp sheat sheets. Furthermore writing tests for attacks described.
I'll give myself a timebox of one month. I have to move forward at one point. Otherwise it's a neverending story. Nevertheless this is probably more than most other small websites do. Even if they use frameworks, it's crucial to keep security in mind and not think "I'm using auth provided by my framework, thus it's secure". Once you think your system is not prone to security issues, you open your borders to hackers due to a lack of awareness.
All open Tasks have been gathered, they now "just" needs to be implemented