Performance isn't the issue - it's security. If you have your webserver outside your firewall and your database inside your firewall, then you can regulate exactly who gets access to the database server. It's that simple.
I don't understand how 2 servers is more secure than 1 server, I tend to think it's the opposite, 2 servers means 2x as much chance of errors in configuration, and I don't think having webserver and database on different machines gives you security you can't achieve with one machine (you can firewall a databaseserver on the same machine in the same way as you can firewall it if it's on a different machine).
I think the biggest advantage of having one service per machine is that you can tune them specifically and independently for the service, so add 'more iron' (ie. RAM, CPU,faster disks) if the performance of one of the services is below satisfactory levels.
Update: I see gellyfish has already made the point I make in my last paragraph (see his comments below)