The system I setup for my company uses as little "spam-scanning" as possible:
1) greet-pause (reject mode)
2) IP-blacklist (reject known bad sending IPs)
3) SPF (reject if indicated)
4) TLS (temp-fail if indicated)
5) greylist (temp-fail mode)
6) rcpt (reject user unknown)
7) max-rcpts-per-envelope (temp-fail overage)
8) max-connect-per-interval (temp-fail overage)
9) IP-whitelist (known good sending IPs skip directly to virus filter)
10) Domain-Spoofers (quarantine - sender can't trip this unless coming from wrong IP)
11) Spam Classifier (quarantine if score is too high)
12) Custom Content Filters (quarantine on hit)
13) Virus Filter (delete on hit)

Log analysis on a regular basis reveals IPs to white list and to black list. We validate these candidates against WhoIs, and other tools (Senderbase is good) before committing them to an actual list. We consolidate lists to network segments whenever possible.

The end results are: no false positives, no viruses, rare false negatives, small quarantine volume, no outbound bounces from us, very few content filters, and a volume block rate of over 95% of about 7 million emails per day. False positive mitigation is extremely simple (and recoverable). False negative mitigation is likewise extremely simple.