After looking through the links to my previous post, I noticed that G. Andrew Duthie referred to it in his latest blog. He makes an excellent point. Not patching is in my estimate Sin #1 when adminning any box. But secondly, there are tools like the IIS Lockdown Tool for Windows 2000 machines. Also, URL Scan works in conjunction with the IIS Lockdown Tool to restrictcertain types of HTTP traffic from coming to your IIS box. Both of these tools in conjunction with MBSA that G. Andrew Duthie talks about are absolute necessities.
Personally, I run MBSA every few weeks on my server to make sure everything is ok. But besides that, I am also subscribed to NTBUGTRAQ (the mailing list moderated by Russ...), which at least keeps me up-to-date as to what the latest security announcements are (and hence usually provides links to patches that need to be applied).