In the case of people taking laptops out into the "wild" there are things which can be done to minimize risk which are within a small company or non-profit's budget such as restricting Port 25(SMTP), using web filtering from the likes of WebSense, Blue Coat etc. along with of course making sure there's effective anti-malware software which is being updated daily.
It's also helpful to educate users about the risks involved with porno, free-%STUFF% and P2P sites along with policies disallowing use of organization hardware to access such sites.
Sure the laptop might get "infected" but if it can't send any spam because Port 25 on the LAN is restricted or blocked entirely (if Exchange Server is being used or mail clients use SMTP-Submit on Port 587 to the official outbound SMTP gateway) and if a web filter keeps the "bot" from calling home the damage of an infection (such as getting your email server blacklisted) is minimized.