I've used Plone as a CMS in a company before and here's what I can tell you.
Plone security works great especially if you fine tune it. For example, you are definitely going to want to think about going in and tweaking what happens when documents move to different publishing states. I tweaked the "Publish External" to have the same privileges as internal publishing because for us, there was no such thing as external publishing since it was an internet facing company intranet and client extranet.
You will also want to proxy your access behind Apache if this is going to be internet facing.
Plone has a great ability to version files. Unless, of course, they are large files. IIRC, anything greater than 32MB causes versioning to fail. I know you can get around this by using external storage (external to the PloneDB) and I think they made it easier with version 4 that was just released, but I haven't tried Plone 4.
Plone is written in python, so if you want to build your own plugins, you are going to have to learn it. The built-in DB is like nothing I've ever seen and is not relational in any meaningful way that I saw, so if you ever have any ideas of doing something relational with it (i.e. a trouble ticketing system), you are going to have to use an external database for your plugin.
WebDAV works great in Plone. Versioning with it does not. Pick either versioning or WebDAV access for a folder.
Oh and unless things have changed, you cannot (AFAIK) do file level restores from backups. It is an all or nothing affair. You CAN restore to a test environment and then export an individual object to import on your live instance. For most issues of accidental deletion, you can recover from the management back-end though.
Like any solution, you will have lots of customization in front of you if what comes out of the box isn't sufficient for your needs. Depending on how dirty you want to get your hands with it, the learning curve can be gentle or very very steep.