chsh, you post so much bullshit it is frequently difficult for me to waste the time to go through and correct everything, in this case I'll make an exception.

Which only furthers my point regarding his relative experience "out in the wilds" as it were. We've seen time and again what government standards have garnered in terms of real security: Various web defacements, reported break-ins to various government departments supposedly adhering to DARPA's security guidelines.
You've seen what government standards have garned in terms of real security? Damn straight you have. When is the last time a high security government or military system has been compromised? What's that? Never? Gee lucky that. (Don't want those hackers launching nukes) All that gets broken in are low security systems with nothing important on them, same goes for defacements. I actually covered this topic in:
http://www.antionline.com/showthread...hreadid=244586
High end secure systems like SMG ( http://www.smat.us/crypto/docs/mailguard.pdf ), STOP ( http://www.radium.ncsc.mil/tpep/libr...L-92-003-E.pdf ), KSOS ( http://csrc.nist.gov/publications/history/ford78.pdf ), and the likes are not even theoretically possible to compromise remotely, then again, these systems are not wasted on public webservers with nothing to protect.
I am sure you might go off about NASA getting broken into and plans for the shuttle being stolen or whatever, so what. Despite what the media liked to hype up, those plans are not some super duper top secret thing. Only a few countries in the world would have the technology to build the shuttle anyhow, and those that do have already/could easily develop their own plans, hence the low security rating. (they have no value)

Now to a far more objective point, do you even know what DARPA is? It is pretty clear by your speaking of their security guidelines that you do not. DARPA (Defense Advanced Research Projects Agency - http://www.darpa.mil ) does not establish security guidelines, never has, never will. In fact DARPA's mission statement makes this very clear:
The DARPA mission is to develop imaginative, innovative and often high-risk research ideas offering a significant technological impact that will go well beyond the normal evolutionary developmental approaches; and, to pursue these ideas from the demonstration of technical feasibility through the development of prototype systems.
- http://www.darpa.mil/body/mission.html

Security guidelines are esablished by the United States' Department of Defense (DOD) National Computer Security Center (NTSC - http://www.radium.ncsc.mil/tpep/ or (410) 854-4376 if you prefer), which is an organizational unit within the National Security Agency (NSA ) and charged with information systems security for classified information. The National Institute of Standards and Technology (NIST - http://csrc.nist.gov/ ) as a oraganizational unit within the Department of Commerce is responsible for sensetive but unclassified information systems security. Standards set forward by or based on those set forward by the NCSC and NIST have in some form found their way into not only into every secure US, Canadian, English, French, German, Japanese, and Australian military information systems installation, but also into every first world bank and damn near every fortune 500 company.

What was that about out in the wilds?

In your opinion, and apparently catch's. Security organisations like SANS appear to disagree with you.
SANS is is like television, they don't want to be too surprising or compelling because doing so will make people fell dumb and scared, which in turn loses their audience. SANS specifically targets people that don't really know anything about security, that is why they have so much focus on the very tangible, like top vulnerabilities. They do this because if the site was full of theorums proving and disproving various security models, the site would lose mass appeal. If you want information on computer security, go to the ACM's (http://www.acm.org ) security based SIGs, those people will set you straight.

No desktop operating systems since Win95 have had 0 services by default. Win 3.11 had to be configured to allow it, but many OEMs did this in its default configuration, meaning a lot of those desktops had services enabled by default.
"No desktop operating systems" is a bold statement, but I'll let it slide as there is no point in being picky. The real point is that why the preoccupation with default configurations? All you Linux fans are the same way, think you're so smart, but base the entire worth of the system in the way someone else configured it for you.

Default configurations, number of defacements, and number of published exploits... is this all that your security knowledge is comprised of? I could pick up the same level of knowledge using Steve Gibson's website as my only resource.

Why don't you go look up what a "reference monitor" is ( http://seclab.cs.ucdavis.edu/project...CD/ande72b.pdf section 3.4 page 24/25) and then you should have an idea about why security should be controlled at the lowest point. Things like firewalls on desktop/network server systems, relying on your web/email/dns/ftp/whatever service software itself for security, and monolithic kernels are all indicated to be bad by the single founding principal of all secure systems for the last 32 years.

So what will satisfy you?
I can post documents and you'll just say they are wrong, I can cite companies, you'll say they are exceptions, I can direct you to other places of learning why my arguments are not the exception, you won't go there, I could challenge you with compromising a system that utilizes my principals and give you admin passwords, whatever trojans you want on the system anything, you'll say I rigged the contest. So seriously, it seems plain as day obvious to me that users (authorized or not) should never have the ability to directly interface with any element of a systems security mechanisms (hence you can run the least secure service software on a secure OS and the system will remain secure) this is also why running firewalls on desktops/network servers are bad, you allow a remote user to directly interface with an aspect of the local system's security, unless of course you gain something by it, like having a need to filter particular ports, (in these cases you should still use a stand alone firewall like Sidewinder G2 as this gives additional layers of abstraction, the firewall is outside of the systems's reference monitor and the stand alone system is outside of what it is protecting) then it may be deemed an acceptable risk, otherwise you gain risk with no gain in protection.

catch

Edited to add: I have no disagreements about the idea to purchase a router/firewall appliance. Though unneeded services should still be closed.