What about recent vulnerabilities posted on eeye advisory section... users have no option than to wait for another six months or so, till M$ provides patches for them....
All of those vulnerabilities fall into one of two classes...

1. Weak default configuration.
2. Requires physical access to the system.

The first class is a big "So what?" vendors provide security recommendations for a reason, fail to follow them at your own risk.
The second class is also a big "So what?"... in an environment with the slightest concern for security non-administrative users should only have access to dumb terminals... where it doesn't matter what kind of access you have.

eEye makes one good product (Retina, which has had trouble recently) otherwise (Iris, IIS Secure, and Blink most notably) are very blah and to call their media team histrionic is like saying the Pacific Ocean is moist.

cheers,

catch