Choosing Web Site Providers and Approaches
Mostly they go to a Web agency of some sort then go along with what they say. They pick the agency based on prior work, which may or may not really be analogous to their specific needs. Usually the choice is made on what prior web sites look like, so a high premium is placed on design, often over functionality.
Some Web providers make, shall we say, interesting claims, when it come to Search Engine Optimization (SEO). This a rather large topic that won't be covered here, but be very wary of exaggerated claims. Google is pretty smart in this area and there are increasing stories of sites and companies loosing SEO rankings due to bad practices.
Some considerations for choosing Web hosting tools and suppliers follows.
It is interesting how little most people understand about Web sites. Most Web sites are accomplished using some sort of Web Framework, such as Wordpress or ASP.NET MVC, Microsoft technologies. Some of the other top frameworks are Drupal (used by WhiteHouse.gov), Joomla (examples), Ruby on Rails (examples) and my personal favorite Django (used by National Geographic, PBS, and NASA, others ). There are literally hundreds if not thousands of such frameworks each with its own strengths and weaknesses. The framework often determines what the Web provider can do in a timely and cost effective manner and how much the end user can do for themselves. There is no one size fits all solution.
Beyond flexibility and efficiency, security is another aspect of Web Frameworks. It is not simply a matter of getting the firewall right. With some notable exceptions, firewall configuration is now pretty well understood, Only open port 80. But sadly that does not provide much security for many of the most common web attack vectors. Specifically it provides no protection for Cross-Site Request Forgery (CSRF) errors nor XSS issues explored here XSS Prevention Cheatsheet nor does it provide much for mis-configured servers and databases, the most common security issues for Wordpress (details on Wordpress security advice is here), and other frameworks. In fact this list of attacks http://www.owasp.org/index.php/Category:Attack contains none that are inhibited by firewall configuration.
Most any Web framework provides a fairly large exposed surface from a security standpoint.
Another consideration is where the site will be hosted. Many agencies do try to get the hosting business at the same time as the development business. Sometimes there is an urge to host the site on some sort of internal capacity. In general one would be much better of having the site hosted by a real Web host rather than a small service provider for security, scalability and reliability, not to mention that most large Web hosts have inherent disaster backup that local companies would have a hard time replicating. Security threats such as denial of service (DOS) attacks are best handled by the larger providers.
There is however an emerging class of frameworks that is pretty bullet-proof, known as static sites. That does not mean that the sites do not have controlled levels of interaction or animation, but rather that the site and framework has no executing code on the server, it is in a very real sense entirely pre-compiled. Many smaller company sites are very amenable to this approach.
A leading implementation is Blogofile. Interestingly this was just recently implemented on Google App-engine, (Details here) It can also run on a free micro site instance at Amazon EC2 and or EC3 for very little. So for medium sized traffic the hosting can be free or nearly so. Of course these static sites are easy to host on internal infrastructure as well. Static sites do not however provide for user input, other than basic site search or commenting, usually provided by a third party service such as DISQUS.
Static sites are maintained off line, behind the firewall and once updated the entire site, or just the "diff" (an automatically calculated change set) is pushed to the server for new articles and content, most ideally from a change control system such as GIT or Mercurial. This provides excellent change tracking, control and distributed contribution and multiple author capability.
It is further, easy to incorporate differing media types and embed links such as pictures video files and PDF's.
Do yourself a favor and before you invest or get invested in a full framework give static sites a look. Further, if your needs are more modest things like Google sites and other hosted full solutions like Squarespace can be quite satisfactory.