I've had arguments about the DMZ implementation before. I don't agree with it and think it's a bad idea.
If I break into a DMZ, I should, by definition, not be able to effect any machines other than the machines in the DMZ. If you allow LDAP, Kerberos, etc from the private network into the DMZ (which you need to do with Exchange 2000 OWA), you are essentially nullifying any security the DMZ may provide. It makes no sense whatsoever.
It is a much better option to simply ensure OWA is available only over SSL (HTTPS), and then publish port 443 through your firewall to the OWA machine. The fact that port 80 is not published reduces the danger of worm scans (Nimda, Code Red, etc), as they look for/at port 80. SSL will also encrypt authentication, which is necessary IMO.
The problems with OWA and IIS arent necessarily the products themselves (although admittedly, they do require patching and dilligent maintenance), the problems lay in the methods people use to implement the products.
The DMZ method never made any sense to me, and I would never use it.
A well patched IIS running OWA over HTTPS is not easy to hack, at least with any documented exploits. That's good enough for me. Add to this the fact that nothing else even comes close to the functionality and features available with OWA, and the risk is acceptable.
No product is 100%, I focus on maximizing the percentage, and I don't worry about the rest. I could get hacked, sure... I could get hit by a bus too.