Sorry, but I can't help playing devils advocate sometimes.
Regarding Exchange for 5-10...yeah it wouldn't be that difficult to set up an additional server and run it. But there isn't anybody there to administer it. Or even do basic maintenance on it. They're big on automating everything as much as possible and then have someone come in a few times per year to check up on things. Otherwise, they call only when they need something new - or if something breaks.
Honestly, with some of the rinky-dink total kludge setups I've seen.... It truly incredible how durable (read rock stable) Windows servers really are. I'm a huge fan of automation too (especially considering I'm at the end of a 3 week vacation), but I've relied heavily on remote monitoring agents also. Anything that happens on the box (e.g. all monitored servers), is automatically sent to me via Email.
So if they get Exchange in, it will become my ultimate responsibility. And they're in the financial advisory sector so their email has compliance and regulatory baggage attached to it. Some of their communications are also legally binding contracts - so it's a little more complicated than usual with these guys. Which means there's also some serious legal downside potential for whoever is running this for them should something blow up.
Data loss is data loss, backup strategies either work, or they don't. The own-es has to go on them if procedures aren't followed. If nobody there rotated the BU media on schedule, and/or took it off site ... That's their ass, not yours if there is nothing to restore from. I just had to ream a client last week (yes during vacation) when I saw 4 of the 5 nightly backup media devices sitting on a table in the server room.
The thing that really makes me not want to take ownership of this for them is the fact they will not allow remote access into their network for server or system maintenance. Don't know exactly why, but that's how it is with them. Somebody's advice or orders apparently, and a 'non-discussion' topic.
Zoiks! I'd charge extra for that (not kidding). But if you had a remote monitoring agent (we use Kaseya) most of what you'd be in there to check for gets delivered to your inbox in damn near real-time. I've had several times where a client called to inform me of an issue that they just noticed, that I'd already been working on for an hour.
On the plus side, they're ok with paying big bucks for a four-hour onsite response window - but that doesn't help with Exchange since you know as well as I that it should be checked every day or two. And we're not staffed such that we can have someone run over there every other day for what they'd be willing to pay for us to do it.
Every day or two?? If Exchange was that unstable I'd of switched to something else years ago. Prior to running the (Exchange version of the) MBSA perhaps... Granted I do pay very close attention to the backup reports (transaction log handling), but that to is done via automated Email. What is their projected Email volume? You mentioned contracts which conjures up images of huge attachments created by someone scanning in a 200 page document with the scanner set to high res photo quality (seen it happen many times).
Client: Why can't a receive an Email with a 75MB attachment??
Me: O_o ... You Want to WHAT?!?
Oh Yeah ... It's happened.
their volume is projected to be of a manageable size ... Then it should be do-able. What are they using now? And how much better does it need to be? Also, most importantly, how much risk are they willing to take (in writing). If solution X is compliant to degree Y, contingent on conditions list Z ... You get a bit of breathing room. The phrase 'Best Effort' is popular for a reason.
So those are the main reasons why I just want to farm this out to someone else. Fortunately, there are a bunch of companies catering to their specific industry and regulatory environment, so I'm guessing I'm not the only tech that's reached the conclusion this is a "special risk/requirement" project better handled by a specialist provider.
There is a tendency in IT for people to assume that their specific vertical needs "$pecial" attention ...(Medical (EMR) software...)... and there are a ton of shysters out there that are willing to jack up the price and Give-IT-To-Them... But that doesn't make it right. Or frequently any safer, it just means somebody else is holding the ball. If you recommend a 3rd party company, and they manage to Bork it ... There's still a chance it'll blow back on you. Nothing to do with "fair" ... It's "Just Business" ... Ya know?
The MS hosted Exchange thing did come to mind, but I've no personal experience with it. I have heard some availability complaints ... but they are fairly old IIRC.