Full disclosure: my relationship with these people is as a happy customer for... I dunno around a decade for a mid-size organization of about 6000 mailboxes. Sorry if this reads like a commercial, I really am just that happy with these guys.
https://www.roaringpenguin.com... they provide and support CANIT PRO, which is basically mimedefang and spamassassin on a debian base, with dynamically updated blacklists and filtering rules. It works really well. David is one of the guys behind behind mimedefang, so you are also helping open source by going with these guys. The pricing for us was really decent.
They usually work with appliances, but we managed to use our own configuration to do some sweet stuff: we put the mail filtering cluster in the DMZ, along with the DB. but we put the customization interface is on an internal network. That way there is no firewall exception for the DMZ (ok except SMTP... can't avoid that one.) and the DMZ gateway doesn't need access to internal credentials at all (Active Directory in our case) It just knows that the interface machine on the inside is trustworthy. Even though the DB has no access to authentication services, the users can still customize their filtering to their desire.
I think for big companies, one concern is that I have never heard anyone rave about spam filtering. In terms of brand-awareness it is a completely one way street, Either people are satisfied with it, in which case they shrug, or they get irrationally violently abusive of the service, and have un-realistic expectations. It is a risk for any major brand to operate spam filtering, with literally no upside (ok, aside form revenue, but if it is a small part of a business, the reputation risk might outweigh the revenues.) Touching people's email brings out all the consipacy buffs you can imagine, and for some small but vociferous group they always have their own solution, and whatever the email admin does is crap. That's a thing that was great about Roaring Penguin's CanIT PRO when we rolled it out, it gave each user the ability to turn off the filtering entirely, if that's what they wanted.
It worked like a charm. Whenever we got some idiot (the truth hurts!) who thought they could do better, we just said fine, here is how to turn it off. Out of 6000 boxes, we had about 200 opt-out right away, most of them turned it back on within a few days, after a year it was down to 60 or so, and then when there were some malware infection episodes, it came out that their 'custom' solutions were not actually working that well, and everyone came back into the fold. Being able to let people opt-out saved us literally months of pointless arguments while letting us deploy good service for the co-operative many.
This was for about 7000 mailboxes, which is small as far as mail installations go these days. The real clients for this stuff is hosting providers and outsourcing companies (cloud based) I think the reason for large companies exiting the business is the huge trend of small companies to cloud, there just isn't much of a market for small email installs anymore... People are using huge hosted configurations. It's gradually getting dismantled now because of some organization move to a single outsourced solution with many hundreds of thousands of mailboxes...