ISA really came down to Information Security Policies. Essentially, we do not let any communication stream enter our network through the DMZ unless it has already been authenticated. We use ISA for OWA, ActiveSync and Share Point access. The authentication occurs at the ISA level and then the credentials are passed down. So in the case of OWA, once you authenticate to ISA, it takes you directly into your mail box so long as integrated authentication is turned on. We actually front end ISA with a DMZ LTM. Firepass was actually considered for this function but ISA was (sorry F5) cheaper and met our Information Security groups requirements.
So the bottom line is that is a security decision, how strong do you need/want it to be. I did see another thread on the forum debating ISA and F5, so perhaps you could find some feedback there. http://devcentral.f5.com/Default.aspx?tabid=53&forumid=25&tpage=1&view=topic&postid=2921629216