If all nodes are on ONE server that means there are NO users. Every user can run a full node and there is no limit to the number of full nodes.
Please realize that running a full node even without producing blocks still provides security by creating a PUBLIC record that is disseminated widely in real time. Once that record exists in enough places that it can not be easily erased it becomes irreversible.
Web wallet?
The only 'permanent' record is generated by those in charge of producing blocks. Nodes can only choose from a selection of histories, but never produce history on their own.
edit: really no idea why I'm telling you this, as you are clearly aware of it
There are two roles: EXTENDING HISTORY and SECURING PAST HISTORY
Securing past history only requires a RECORDING device operated by as many people as possible.
Securing the extension history is mostly focused around CENSORSHIP prevention
All full nodes behave as recording devices with VERY SMALL windows for reversal in the event of a missed block and can be very decentralized. Every hosting wallet provider, every exchange, every gateway, every large merchant, and every paranoid user participates at this level and there are no artificial limits. There is no need to pay for full nodes because those who have them are the only ones who need them for their business.
All witness nodes serve as history extension role and the primary goal is to ensure that block production continues without censorship of transactions or disruption. There are two different factors here:
1. Software / Hardware Redundancy -
https://en.wikipedia.org/wiki/Redundancy_(engineering)
2. Human Redundancy
3. Political Redundancy
From a purely hardware/software point of view each witness should be have multiple nodes on the network in different locations and a watchdog that will switch between them if one fails. A single "witness" running nodes in 3 data centers around the world would likely provide all of the hardware/software redundancy the system needs.
So now we are talking about Human Redundancy / Political Redundancy. This gets into the probability that an INDIVIDUAL witness will become corrupt or coerced. Lets start assigning some real estimates on these numbers.
Things that impact the probability of being corrupted/attacked:
1. Profit Potential
2. Likelihood of Getting Caught
3. Ability to Recover
We have minimized profit potential because witnesses cannot steal funds, change history, and have a 100% probability of getting caught. We have minimized "destructive attacks" by being able to recover quickly (faster than the average bank holiday).
The point of all of this is that there is no point on increasing costs to maximize one aspect of security when it is already well beyond the weakest link.
In our case, the weakest link is IP packet filtering, domain seizing, etc.
That said, our witness system actually has an opportunity to be secure against that because witnesses can form a "DARKNET" that is very reliable and then the government can play "wack-a-mole" with all of the gateways that popup for light wallets to connect to.
At the end of the day we need to look at the big picture and develop systems that can operate in the LIGHT OF DAY without any realistic threat that they will be shutdown by government, not because the government couldn't but because the government doesn't want to.
The trick to defending against government is to make the POLITICAL COST of the attack higher than the technical cost. Technically the government could kill anyone it wants to at any time. The best protection against that is to be "pure, innocent, and widely loved by the people". Technically the government could shutdown the internet, but they won't because the POLITICAL costs are too high.