Sometimes it's not performance; corporate security policies often state that web and SQL can't reside on the same box. Sometimes it is performance though. With more than 100k managed objects spread across a rather large network, we're dealing with almost 30 scanners and a dedicated database.
I like the database and webserver being separate. It's entirely possible to run a scanserver service in the background on both and get pretty good performance.