Security isn't the only issue, though. What about the long-term viability of companies adopting the ad-only revenue model? Ad revenue is volatile, and as a result can't be generally relied upon to fund ongoing support and development. A point could certainly be made that if you're paying nothing, then your risk is nothing. But given the administrative and management resources that go into implementation and ongoing management, the cost is far from zero for IT shops.
What seems to be working for the software development companies with long-term staying power is a semi ad-sponsored model, where you either: A) Give it away until your base is sufficiently large, and then start charging for the software (i.e., dnsstuff.com); or B) Charge a small licensing fee to take away the ads (i.e., Spiceworks).
I'm personally excited to see more open source and ad-sponsored players like Spiceworks jump in and build solid community developed solutions for the SMB marketplace. Most of these IT shops lack the budgets needed to purchase enterprise products, and these scaled down solutions usually fit the bill. If you can vet away the long term viability and security concerns from these ad-sponsored solutions, you might find yourself a hidden gem that plugs nicely into the puzzle of enterprise apps needed to run your infrastructure.
Have you had success with an ad-sponsored application in your production environment? I'd love to hear about it -- e-mail me at firstname.lastname@example.org or respond to this thread.