^^^ all of that.
Diablo also opts-out of ASLR, which makes it trivial to exploit (network receive buffers are at a static/fixed address).

Well, I suppose if you regularly expose yourself to potential exploits... and I guess if you go to "lan parties" or the like, or perpetually play peer-to-peer network games with strangers... this might be a serious issue.

But I have a system here which nobody but me uses. I don't use unsecured connections, don't download unidentified software without giving it a thorough vetting first, don't just pop thumbs or disks into my system without prior vetting, etc. And... perhaps most significantly in this case... I don't use insecure "chat servers," click on unknown links in emails, or allow anyone access to my local network without my direct oversight.

But, for, say, a college kid with a bunch of wireless connections, in a dorm where you KNOW people are running exploits and all sorts of sleazy stuff... yeah, I'd recommend leaving DEP on.

For me, literally 1/2 of my owned software fails if DEP is allowed to run on it. I have a LOT of software, including quite a bit of older stuff. It's not ALL "hackily written." The reality is, the sort of "protection" which DEP provides was never even DREAMT of until a few years back. Now, if you could go back and rewrite the full code base of all software developed before the introduction of the concepts upon which DEP is based... sure, it would be a "win-win" all around. But it's not just "badly written" software which it interferes with. It's anything older than DEP, effectively.

I'd think this would be a no-brainer for people buying stuff from "Good Old Games." Unless GoG fixes the issues, the vast majority of (non-DOS, non-ScummVM) games out there would not be able to be sold in workable fashion with DEP in place.

This, in fact, is really what GoG's techs seem to do best... fix the basic incompatibilities. Sometimes simply through creating a compatibility-database-entry set for a given program. Sometimes by altering the core elements of the code in some small (but signifiicant) way. And that's why I tend to buy stuff from these guys.

That simply isn't true, other platforms older than x86 had W|X/NX protection since their inception. And even in the case of x86 NX has been around since ~2000, much more than "a few years".
The flags for allocating executable memory existed before DEP was implemented and should have been used. Assuming all dynamically allocated memory will be within the code segment is a programming error regardless of whether it causes a fault (and in the end, it did). Except in this case they released the game without any fixes and weren't even aware of the issue.
Then they added a small section in the troubleshooting guide telling people to disable DEP. It failed to mention that changing the system DEP policy requires a reboot.
Then somebody posted which bytes to hexedit as a workaround, and GoG updated their package.
Then they made the exact same mistake with Warcraft2 which is still currently broken.

I receive e-mail from people I don't trust to practice good security hygiene, and I don't trust the authors of my e-mail client to know what they're doing (they included support for reading HTML e-mail, so they're clearly untrustworthy :)), so yes, I regularly expose myself to potential exploits. Remember, there were a number of vulnerabilities over several years where simple receipt of the malicious message would provoke the mail client bug, independent of whether the user clicked any links in the message. I suppose you only browse the web using a specially hardened version of Lynx? :) As for peer-to-peer games: we are discussing this on a forum dedicated to the re-release of a game known both for its embarrassingly vulnerable code and for its wide following. Back when Diablo was very popular, you could easily find dozens of games to play with complete strangers, at any time of day.
So you stay off battle.net?
Without names, I cannot confirm or disprove this statement. I doubt that DEP is the problem though, unless your next statement is wrong:
If it fails under DEP, it is poorly written. Full stop. Some of Microsoft's access control mitigations (like User Account Control) had nasty consequences, but DEP (a security mitigation) is well done, as far as I know. If you have a specific use case which DEP should have permitted, but does not, please describe it.
Wrong. Anything done correctly the first time, which as far as I know covers everything generated by popular compilers, runs fine under DEP. If you have a specific example of a program that, through no fault of its author, is DEP-incompatible, I'd like to see it. As far as I know, all DEP-incompatibilities are because the author decided to be clever and generate code outside the confines of the compiler, but not be so clever as to do it the way the compiler would have done.
Half right. Old software has plenty of problems with current systems, but DEP is not to blame for this. Other bad decisions, like using CPU clock speed as a timer or assuming no access control on files (writing configuration to the Windows install directory) are far more common. There are also other problems where Microsoft simply removed system functionality the old games expected to access.

Of course... but for some reason the GOG guys don't have XP as supported in their store page! Also, I don't know anything about the net code and I am speaking only of the single player campaign. Looks like other people here are looking into the net code..

They don't test on XP anymore because GOG are focused on modern operating systems, which they seem to consider Win 7 and above. (old games that run on modern machines/OSes)

No DEP issue with Wc2 or Diablo or any game. On desktop DEP enabled on default set (only certain system program\services), on 2 notebooks - fully disabled.
Windows security - what is that broken. CD Warcraft 2 Bnr and "classic" GOG versions D1\Wc2 always work perfect. If not for someone - it them fault.