IIS != Insecure
FWIW, any server can be made secure. It's just a matter of how much time, money, effort you want to put into it. Considering that the NSA has lots of all, I sure wouldn't want to event attempt anything onthier systems. Heck, for all I know, they could have pulled the old trick of disconnecting the write pins on the hard drives that are serving the pages.
Besides, any company should basically consider any Internet-facing server to be "expendable". It's the back-end that is *really* valuable. You know, like the "acres" of computers that the NSA has ;-)