[...]I haven't had any problems with the Linux box. Potential security hole be damned, nothing actually happened.

Yes, it is possible that you've missed security updates. I don't follow bugtraq or anything like that, but it's always *possible*.

Thing is, though, I haven't updated my kernel (or installed a new one) in I-can't-remember-how-long. My webserver (the one that faces the world) is currently running a stock 2.6.6 kernel, and has a 67-day uptime.

Personally, I think that if you're behind a good firewall, that's 90% of the battle right there. If the bad guys can't get directly to your box in the first place, then that's one more layer of boxes that they have to go through. I suppose I'm assuming that all your network-facing boxes in the DMZ are properly secured. (I know, I know, that might be a faulty assumption...But I'm making it anyway.)