With the end of mainstream support for Office 2003, it's tempting to retire Office 2003 from a managed network altogether (and replace with Office 2007, in our environment), but there are pockets of resistance (e.g. users who contractually share Access 2003 databases with large consortia internationally). Security is an effective rationale to compel users to upgrade, when it's defensible.
Does Office 2003 represent a security threat on a managed network, due to end of mainstream support?
EDIT: Much of our user base, and our back end, are moving to Office 2007 for Exchange and Sharepoint integration advantages - so sticking with 2003 in general is not the plan, and heterogeneity is a pain.
Office 2003 is safe, as long as you are running SP3 and patching. Microsoft continues to provide security fixes for the duration of the extended support cycle.
We had a similar issue with Access -- some users had Access applications that were essential to whatever they were doing. The solution is pretty simple -- you just configure the installer to leave Access 2003 behind! KB928091 discuses install order and some gotchas. (The big one is that you can only have one version of Outlook)
You're actually just as well that you've waited, Office 2007 SP2 fixed all sorts of pretty serious errors, particularly with Outlook calendaring with Exchange 2007.
I would say that so long as there is a vector by which outside Microsoft Office 2003 documents can get to the PCs w/ Office 2003 installed it could legitimately argued that there is vulnerability. Having said that, I don't know what Microsoft's policy on issuing security-related patches is after the "mainstream support" period ends. A lot of companies are sticking with Office 2003 for now, and so long as there are enough Customers to create a ruckus when new "0 day vulnerabilities" in the Office 2003 products are found I would expect that Microsoft will continue to release security-related patches.
(Insert argument for open source software here... You can pay anyone you want to continue to "support" open source software w/o artifical "upgrade treadmills", etc...)