I haven't seen anyone mention ISA server.
No. I wonder why. It can certainly perform the function as documented in their best practices...
Internet Edge Firewall
Organizations with enterprise-scale capacity requirements may consider deploying an ISA Server computer as a dedicated Internet edge firewall acting as the secure gateway to the Internet for all corporate clients.
I like that "may consider" 
MS Windows is a victim of it's success, with criminally minded organisations spending an awful lot of time finding exploits. While Windows appears to have many more problems than other products, I think that this is more likely to be a combination of both the popularity which means that there is a more concerted effort to find exploits and the fact that any exploit discovered has a high impact and visibility.
The complexity of an general purpose OS means that it is harder to secure and fix when compared to dedicated hardware devices running something like IOS or PIX. Cisco still get it wrong, and their equipment still occasionally has security problems. However the issues are fewer and further between, and tend to be denial of service rather than the exposure of internal network or data.
For these reasons anyone who "may consider" using ISA as their first line of defense might also consider alternative employment.
Behind a decent firwall I think that ISA is mature enough now to deploy without particular worry. For example, I think that it's a good option for a caching proxy in Windows-only shops that don't require the full-on features of something like Squid.
In the future, when Windows has finally lost it's reputation of being insecure and buggy I'm sure we'll all be looking at it again in security contexts with a less jaundiced eye.
