Depressing, huh? Unfortunately a lot of factors combine to put you as a sysadmin in a position where you can't hope to provide a totally spam-free mail system.
The most important reason is that spam is a social problem, and as such the only really effective way to defeat spammers is at a social level. However, you're stuck trying to use technical means which spammers always find ways to evade.
Because technical measures have been only partly effective at mitigating the effects of spam, and social efforts to discourage spammers have not been organized and consistent, spam has continued to grow as a problem and shows no signs of turning around. Sadly, things may get much worse before they ever get better.
The huge number (plausible estimates number in the millions) of subverted Windows hosts available to spammers (or for that matter, any potential abusers) is truly alarming. Besides their current role as spam proxies, they could potentially be used to subvert many other proposed technical spam mitigation methods.
The ever-changing set of technical methods for mitigating spam basically create an arms race between mail server administrators and spammers; admins deploy a spam mitigation method, and the spammers deploy their method for getting around it. Bolting more and more components onto your mail system makes it harder to manage and less reliable.
All centralized blocking/filtering methods are likely to require substantial maintenance effort -- you have to make sure they're doing what you want, constantly modify blocking and filtering rules as spammers appear and disappear and spam signatures change, deal with spam complaints and false positive complaints, and on and on.