IIS 6 (Windows Server 2003's web server) has a good security track record as it was developed under Microsoft's Trustworthy Computing initiative. I dare say I'm courting fate by writing about it! Unlike it's predecessor there haven't been any high priority vulnerabilities and there have been very few (3 according to Secunia) due to code vulnerability. Having said that even a single low profile vulnerability would be too many and there are plenty of people trying to find exploits so we continue to work to improve both the code quality, architecture and ease of configuration.
There are many security and performance improvements in IIS 7. One that's caught my eye is that IIS 7 (Windows Server 2008's web server) takes modularity to a new level by unbundling functional modules meaning that it doesn't load code into memory unless it's absolutely required for the job in hand.