As with anything, its a juggling act between cost and risk.
You can overhaul everything, go crazy with redundancy and security and your solution would be great, but the cost might outweigh the risk.
Yes, there are single points of failure, but how important are portions of the network and what kind of uptime / SLA is expected. Could you get away with just having a cold replacement in case of failure? How long would it take to run a new cable should one break, etc.
You need to determine the bottlenecks, are back office systems slow for everyone or only certain users in certain locations. Is this occurring at certain times or random. It could be over subscription on an uplink, it could be a backup running or a full AV scan on the server, the list is fairly long and your current visibility is low.
I would separate users, wireless, till points, servers and other services into their own VLANS as a start. This is the first step into segragating traffic, starting security and helping with troubleshooting. You could then see if access issues occur, if they occur from all VLANS and / or from all switches.
Having a slightly more expensive collapsed core switch would allow you to get visibility on interface statistics and trending, to see utilization, which will help you decide if there are throughput bottlenecks / utilization bottlenecks anywhere.
Adding security is another project all together, and this can go as deep as you want. GPO with restrictions is a pretty good start, again its a costing exercise, is it worth spending the money on security and what should you be securing. Is the data important, is uptime important etc.
Most companies spend money on endpoint security and perimeter. If you are just interested in controlling access to the internet, most endpoint software nowdays includes web and application control and you can save yourself on the complexity and cost of a UTM device.
Going further you may want to authenticate users accessing the network, profile then and go crazy.
End of the day, the client needs to help you build a security model and strategy and you then need to find the best starting places to secure.
What you need is visibility at this point or troubeshooting to identify the slow responses. From there you can make recommendations as to a design based on customer pricing, business requirements and then align that with security
