Anti-virus/spyware/spam:
At their most passive, they're a nuisance and at their worse, a significant business menace. But they can all be readily managed 99% of the time with occasional extra intervention. On rare occasions (and not recently), we've had to send out bulletin alerts to advise our customers to load an interim update.
Anti-virus:
It isn't adequate to protect just your server(s) - you should buy sufficient licenses for all your PCs (including home workers). If you do get a virus outbreak (e.g. off a USB key or through a VPN off a home worker), you need your AV software deployed throughout your organisation to instigate a clean up. We support Sophos and Trend but our long-term (although not cheapest) favourite is Network Associates AVD.
All AV (and Microsoft Critical Updates using WSUS) updates should be configured to be automatically downloaded by the server and distributed to the internal PCs. Home workers/laptops on the move should be configured to get updates directly off the web (rather than through the VPN to the main office). And with all things automated, one day they'll quietly stop - hence why our monthly health-checks keep an eye on this...
Whilst anti-virus remains on topside of the virus writers (although boot sector viruses continue to be a pain), we've seen less and less implementation of the 2 different anti-virus services "in series" (a second locally installed product or outsourced service such as MessageLabs). Long may this situation continue...
Anti-spyware:
This is absolutely key and in our opinion the biggest exposure. All workstations should have one or more anti-spyware packages installed - especially your home workers with children that share their PC..
Anti-spam:
We'll never get rid of the stuff, but Microsoft Exchange has a very reasonable IMF system to dispense with a majority of spam. To be effective, you also need Outlook 2003 (comes licensed with Exchange 2003/SBS2003 anyway).