Geoff... which patches are you meaning... windows IIS ones? (im a web hack really not a server type)
Yes, IIS patches. Windows patches are important too though. If there's a hole in your web application then its concievable that an attacker would use a local windows exploit to get system priverledges.

BTW, you did put this web server in your DMZ didn't you?

I'd put snort on it too, just to be sure.