Whether or not a web server gets hacked depends not on the server software but on the cluefulness or not of its admins.
I know you're paid to say that, but that's sheer, utter bollocks.
That *is* a factor, yes.
It is not the ONLY factor.
If your web server has a vulnerability, and there's *no patch*, *no fix*, no way to stop it, it doesn't matter how good you are - you *can't* secure it.
And that's a big problems with IIS. Microsoft 1) denies many problems 2) minimizes their risk 3) puts out fixes when they feel like it.
Until they decide its a problem, and get you a fix, there ain't a damn thing you can do. And if you're hacked *first*, well, you're screwed. Now, this *is* the same with any other webserver. However, right now keeping IIS patches has our NT folks in a severe tizzy, *and* sometimes installing some web product has the net effect of uninstalling one or the other. (.DLL hell strikes again, and no, I can't give details, they were complaining about that, luckily it was *our* scanners who detected that a hole was back open).
IIS is securable.
IIS has hooks to the operating system that most other web servers don't, for exactly those security precautions. As a result, I certainly think of it as less securable than other comparable web servers.
The problem is that very few people know how to do it.
Then maybe IIS isn't a good choice, then. :)
Addison