According to netcraft, "securityinnovation.com", which appears to be powered by hamsters at the moment is running a W2K box with IIS 5.0. They don't appear to be up on the latest and greatest. Is MS even patching those anymore?
Given that they consider mere counting tally marks to be a security assessment, I'm not sure how much faith in their judgement.