To give you a better overview of the offices in question:

Offices are between 2 users and 70 users (nothing really to big, the big one w/70 users is almost all Win98 and the other machines in the office have been patched so they are safe).
All are protected by a hardware device or ISA.
No access from the outside except Outlook Web Access.
Only one person is actively using VPN and they are using Win98 from outside and going into the network above that is mostly 98.
All ports are closed unless explicitly needed (80, 25, 110, and maybe 1-2 more at each client).
All patches are applied about 1 month after release (mostly to provide a break-in period and allow M$ to finally get it right ), critical patches are applied sooner as needed, service packs are applied on a schedule set by current patch status of the machine (ie. if the machine is missing a lot of patches it will be done soon, if it is pretty well patched I will wait a few weeks and do vulnerable clients first).
Our clients have websites hosted offsite with the exception of Outlook Web Access, this hopefully gives one less entry way into the network.


Just remember, you can't show up every week and put in 15 hours of labor at $75-200/hr (depending on who you are) just because M$ is ghey.......in today's rough economy you have to be cost effective, if not the client sends you packing.