That is weird, because this would indicate that only the file owner has read permissions on the e.g wp-config.php file, which would also mean that the file owner is the web server. Otherwise the setup would not work, because the web server would not be able to read the config file. That in turn could mean that you could easily upload a php file that reads all other directories on the shared host. Regarding your permission problem, it seems like you can't fix it due to the Linux user setup for the virtual hosts. I am speculating a bit here and I would have to take a closer look to be sure about that.
Are you using HTTPS to connect to the wp-admin interface?
Do you store the WP admin password in the FTP application on your computer?
Having a shared host can be quite dangerous, because if one other customer on the same server is hacked, attackers can potentially spread to all other sites, even though you would have done everything right and secured the site properly.