Putting them on the same machine:
- Reduces latency between them - so if you have lots of easy queries, this can improve performance
- Make your development and performance testing easier because you can do it with a single box (or VM)
If the application does not need redundancy and doesn't need to scale out, putting them on the same box is definite win - it's far easier to maintain.
I don't think the security argument carries any weight - I don't see any security benefit of separating them. The web server would need to have enough access to the database to view and modify all or most of the data anyway, so if it were fully compromised, the SQL box would effectively be compromised too.
