With the limited amount of information this will be difficult to answer.
Using IIS 5.0 and not 4.0 is good. CA stand alone is even better. Since I don't know if you have secured or hardened the device per recommended standards, I'm uncertain. You could do these two things and not effectively harden the device and all your work would be useless.
I'm uncertain of your DMZ architecture, as well. Are you using RFC 1918 and NAT? Have you audited your firewall rules and stopped all unwanted external traffic before it reaches the DMZ? Are you properly filtering traffic, logging and auditing those logs? Are your firewall rules at both the external and internal points in the DMZ valid, logged and audited?
Since the security issue with Microsoft is a moving target at best, there are many assumptions I would need to make prior to coming close to answering your question. Off the cuff, I would say no, you are not secure simply because of the man hours it now takes to maintain any Microsoft system. Information security demands all devices be secure, not just the Web/app server. If your network parameter is lacking security, yet you have done all these wonderful things to IIS 5.0 you are still highly vulnerable. If you have a valid parameter and your infrastructure is still secure just, maybe there is a chance you are in fact secure.
Security as related to Microsoft products will continue to be a moving target due to the open nature of the products. Although MS has just stepped up to the plate and said they would release products in secure mode, not un-secure as in the past, only time will tell the fate of this lip service.
I've danced around your issue only because of the lack of information. I'm not saying anything new here concerning any Microsoft product. As with any device, security is related to the whole infrastructure, not simply one device.
For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Securing Microsoft platforms and products
Careers and Certification Tip: No Microsoft security cert, now what?
Security Policies Tip: Keep on top of security patches for Microsoft products
This was first published in March 2002