Current versions of sendmail are no more vulnerable than current versions of other MTAs. Sendmail's reputation for insecurity is due largely to its longevity. It's been considerably hardened over the years. I still use a version of the ancient store-and-forward SMTP listener called Obtuse smtpd on my main server because it has excellent anti-spam controls, but I have other machines running where sendmail is directly exposed to the Internet. We haven't had any problems with security.

Any decent mail server needs to filter malware and spam. There are many alternatives for this, but I like MailScanner because it enables everthing to be managed centrally. Each message that arrives is scanned first for viruses using a combination of filetype rules (no ".exe" file attachments for instance) and ClamAV. (You can use commercial scanners if you prefer.) Then if the message is marked clean, it is passed to SpamAssassin for scoring. I tag messages that get an SA score between 4 and 7 as "likely spam" and deliver them to the recipients with a {Spam?} tag in the subject line. Anything over seven gets put in quarantine. At one client's site, with about 200 employees, we quarantined over 2100 spam messages just yesterday alone.