For many organizations, the security concerns in Server 2003 are minimal. Border security is handled elsewhere, and modern antivirus and antispam programs take care of most, if not all, threats. Security certificates may or may not be an issue in these installations, and might demand a server update, but this should be on a case by case basis, just as are many other considerations.
The question sometimes boils down to: The application software running on these boxes, and if it can be kept current, and any other mandatory security considerations, such as HIPAA rules, that might be in play.
So indeed, new versions of SmarterMail would certainly require an update to later Windows server versions. But one size, as usual, does not fit all.
I recall companies running Novell Netware 3.x, for example, for years after it was obsolete. Indeed, I have one client with a FoxPro DOS app that is STILL running it (!).