I was working for a hosting company with several hundred domains. We had our infrastructure in Telehouse with redundancy in RedBus (two of the most important UK datacentres). Our servers were protected by Astaro firewalls. We were running several Windows 2003 servers, but used a linux BIND machine for our DNS. We had 2 separate mail gateways which had spam filtering and various filters using reverse DNS lookups. The problem is, the more anti spam, anti virus filters etc you use, the more processor resources are consumed. I think in the end the attacks beaten by patching the BIND server and adding some DNS security measures, although Im hazy on the details.
For most developers (and my case now) I dont have to worry about server security, its in the hands of my hosting company. But I am keen to maintain the security of my sites. I have 2 ecommerce sites (php as there is a lack of open source asp.net ecommerce solutions), but all financial details are processed by Paypal, so its mainly DoS or site hijacking that I am concerned with. I have two other sites that use asp.net login controls, and I haven't seen any general slagging of the security of the asp.net membership model, so I'm hoping the lack of such criticism means its pretty solid. But I might be wrong...