It's not that hard, keep an eye on patches and disable any extras you don't want.
I realize that, but I know several people who thought they installed the patches and still got hit by CodeRed. And if I had the choice between the web server that requires I check for security patches daily or the one that's been secure for years, I'd chose the latter and save myself some time.
Anyrate we where talking about a language not a websever, PHP runs under IIS and ASP runs under Apache so the webserver is irrelivent.
Not really, Apache has several ASP options (no COM though obviously, so it's basically VB scripting) and PHP runs under IIS.