For starters, since you are running Joomla, take a look at their Security Checklist:
here.
I assume here that you are running these tools on top of an Apache server with PHP and MySQL (as discussed in Wikipedia:
here). If so, I would also recommend that you start by reading about basic apache and PHP security. Each of these applications, by themselves, is relatively secure. Each application, module, bit of code, and so forth that you add to them, including cPanel, Joomla, and WHM add additional complexities and vulnerabilities. This will make your task exponentially more difficult with each addition.
To address some of the basics and your other questions:
Apache file permissions are the most basic thing that you have to address. By default, Apache is limited to the specified document roots and can pull information from outside of the directory structure by using Alias directives. Apache starts up as root and then drops the root permissions for the daemon processes. These processes run as a non privileged user with a locked account, typically something like apache, www-data, nobody, etc. The files in your folder structure should be owned by root and readable by others. This is how pages are read and served. The directories need to be executable to work, but files should not. Files and folders should not be writable. There is NO PHP user. PHP files are read by Apache and interpreted in-line to generate HTML. As long as you are configured so that files are interpreted and don't open up holes beyond your document root, web users can't get at the PHP code itself.
By adding a content management system with additional command and control tools you may need to add more users and groups and assign appropriate permissions to certain files and folders for this purpose. However, your web directories should not be writable and your files executable by the public. If they are, it is an indication that you have made a sever permissions mistake.
Also, one of the most important things you can do is keep your web based applications (Apache, PHP, and all the other stuff like Joomla) up to date. Failure to keep these programs patched is one of the most commonly exploited vectors!
As far as your 2-3 "experts" go, I questioned their expertise the moment you said "php user"
After you feel you have things appropriately secured, you might consider running a security vulnerability scan against your system. This will help identify if there are vulnerabilities you have missed. !!Do not replace a real understanding of the security basics with a scanner tool!! Use the tool in addition only. An example of such a tool is OpenVAS, which is a free version fork of the popular Nessus scanner.