That depends on their ISP data plan.
Many businesses use static IP addresses that never change, but many others haven’t fixed that with their ISP and their IP address may change on a daily basis, on router reboot, or some other occasion.
Your guess is a guess. You should clarify this question with the respective organization.
As to security: of course, any user authorized for that IP address can potentially abuse your service. Real security requires dedicated authentication for each user.
If your services are regularly abused by that public IP address you should try to contact the owner (from WHOIS) and request a solution. If they don’t cooperate you’ll have to generally throttle/restrict access from that IP address to your service – most firewalls provide QoS features that allow limiting the number of sessions, bandwidth or connection frequency.
If a service is frequently abused by changing IP addresses, you need to create an automatic service that tracks abuse and temporarily blocks the source address.