one thing overlooked in this article is "chroot." The chroot command exists in linux and the BSD's and allows you to prevent an application (like your web or mail server) from accessing parts of your servers drive(s) it's not supposed to - even if the app is hacked the kernel will not allow it to write outside the directory has been chrooted to. Bind has built-in support for this.
FreeBSD (and it's at least planned for the other BSD's) has a jail command that goes a step farther and controls what syscalls it can make, the ip/ports it can bind to, the protocals it can bind to, etc... (i believe there was an article about using it on daemonnews recently)
both of these methods allow for greater security on boxes with multiple services running on them and don't requrire the overhead / expense of VMware. i personally keep most services chrooted on my openbsd server and am consitereing chrooting all user logins for a little extra paranoia :)