The reason 'people' and the developers say XAMPP is not for 'production' environments, is that BY DEFAULT (when you 'just install it') - its not very secure. It was configured
by the XAMPP developers to be that way - so that testing and devlopment work wouldn't hit a lot of roadblocks.
HOWEVER - inside XAMPP is the exact same source code Apache, PHP, Perl and MySQL as any other installation (all compiled for Win32, thread safe Apache). The difference is in the configuration values. If you follow good basic security procedures (make changes such as those I recommend) - your XAMPP install is not much different than any other AMP 'stack' built - they ALL come from the same source code, just like all Linux distributions start with the same Linux kernel. Its all in how you set them up. My guide takes you to the point its reasonably secure.
BTW - I have an SMF forum myself running on a W2K3/IIS6 server, so I'm familiar with what's needed. All Forums - effectively - have their own security, whether its YaBB, phpBB, or SMF just like blogs and CMS's. So all you 'really' have to secure is MySQL and phpMyAdmin - after that you are at the mercy of the built-in spam-guards and anti-hacking measures the devs on the various forums projects have built into the software and its configuration tools (like the 'included' .htaccess files).
That ECG Guide sits on a XAMPP server that also has two forums, a mulitingual PHP web portal built around a WordPress core, and a MySQL research database development project. They are all experiments, and I don't plan on really heavy trafiic. But that's all a function of hardware and bandwidth, not the software configuration. I won't jinx myself by saying 'feel free to attack my server', lOl. There are suites that can be used to 'beat up' servers - and I do that periodically with all my servers, kinda to see what's new and different in the way of attacks - Score to date - JonB has pitched consecutive shutouts, hehehe.
The relevant question is 'how many concurrent visitors'. If its in the hundreds, you need a 'real hosting setup' like a VPS - if its realistically 5 to 10 concurrent users - you would be very surprised how little hardware and bandwdith you need to keep it humming (either with a WAMP/XAMPP/LAMP stack or with IIS) - I have 'all those' in different flavors, including what anyone would call 'real dedicated servers' and VPS's running server OS' and installed in datacenters, so I'm not fussy what you want to run, I'm a realist/pragmatist.