Does anyone ever do hardware cluster to insure HA for Mikrotik box?
if yes, can you share how you do it ? 
You can use VRRP to setup a hot-spare router which will take over in case the first fails. THe connection tables, hotspot logins, and other state-dependant things are not dynamically replicated between units. Do a Google search on VRRP for more info.
VRRP is good for a single gateway.
In my case, i create one vlan for one customer. so, if i have 1000 customers, i will create 1000 VLAN.
it is really hard work to do with VRRP.
Why did you choose VLAN instead of PPPoE ?
Why VLAN:
- easy local loop (2L,3L, MPLS)
- lease line service (transit, corperate customer)
- graphing (interface VLAN), customer self-care
- no need PPPoE supported device which is less overhead
- CPE managed by VLAN (1CPE=1VLAN)
Why not PPPoE, because it doesn’t have what VLAN has.
What if for example, I (or a hacker) connects to the network with someone’s VLAN ID and uses some of the bandwidth (with a VLAN enabled switch, so customer do not loose connectivity?) ? 
How do you manage security,… etc ?
At customer side, they can only access to the VLAN that was assigned (access port).
All the access layer switches are secured by ACL, password, security guard and finger print (Remote and Direct Access).