To be honest, securing email is not that hard, unless you want to "manually" set up a structure to check messages for weird stuff.
You can "outsource" an email hygiene service, to handle the inbound of your email, clean it, and deliver it to your own server (either Exchange or some other thing). You can do that for outbound as well, so your Exchange (or some other thing) will only send and receive SMTP on port 25 from a very specific group of know IPs (the ones from your email hygiene service provider). This alone will take away a huge chunk of the on-premisses worries with email security (no need to worry about spam attacks, bursts in email messages, workload increases, etc, etc). You just pay other guys to handle that for you.
Of course, you can do that with spam assassin, a couple of linux boxes and such (and your email hygiene supplier will most likely be doing something similar). The difference is that they are payed and specialized in keeping an eye on email security and the latest trends, and for you, usually, this is just one of the many "hats" you wear as an IT administrator.