And I don't want to sound overly cavalier but is there any evidence that her private server was actually less secure?
This is big and it was less secure. From pure security standpoint, a few points.
First, even during these post-snowden days, majority of SMTP mail servers, provided that they want to talk to each other, do not verify digital certificates. They just accept whatever is presented and proceed with encrypting data using a public key from the presented certificate. This scheme isn't secure as it allows an easy setup for man-in-the-middle type of attack, which involves a third mail server that is introduced between the two of the sender and the receiver and poses itself as the receiver's mail server to the sender and as the sender's mail server to the receiver. In majority of cases, it involves cooperation from ISP or establishing control over ISP's equipment.
Exchanging e-mails between mailboxes of the same e-mail domain is secure as it doesn't involve sending data via untrusted channels. Of course, there are some other risks here, like rogue mail server admin, etc., but these risks are more or less easily mitigated and they are present in multiple mail servers scheme anyways.
Also, there's an issue with exchanging data between an e-mail server and an e-mail client. It is known that her server didn't have a digital certificate installed for a while after it was set up for encrypting client SMTP, POP3, IMAP and HTTP sessions and Hillary exchanged data between her e-mail client and the server in unencrypted form.
It is known that they had RDP services published to the Internet on this server for the ease of administration. Which means that they ran Windows. Did they patch it properly? Who knows. It was around 2011 when a major bug was discovered in MS RDP by Luigi Auriemma that allowed remote code execution type of exploits. And besides RDP is a popular target by itself, if you ever publish it unprotected by NLA -- script kiddies immediately start hammering in, trying different combinations of user/password. There would be hundreds of attempts per day. And they claim that there was no evidence of any malicious activity in the logs. Unlikely, but anyways, can someone authorized check this out? Nope.
It could be different (which I don't believe) in this case but it is usually so that the more important a mail server is the more protected it is. There are dedicated people who install security patches, configure it properly, etc. On average, an e-mail server at home is less protected than e-mail server at work.
But the most important issue here is creating a possibility for misuse like not backing up (not retaining) data properly, deleting data, etc, something that actually had happened. Which isn't uncommon for "the most transparent administration", BTW. It's more than often data gets lost, hard disks suddenly fail and queues are suddenly too long to respond in time. Now no matter how many FOIA request you send -- you won't get anything because she may have deleted something unrecoverably while the data should have been retained.