I always bring at least one additional consideration to the table: Does IT management trust all the domain admins? I mention this because it's difficult to prevent a rogue admin from accessing other resources and data within any of the domains within the same forest. Even though a domain admin is supposed to have full control of only his or her own domain resources and data, it's possible (but not always easy) for the admin to escalate his or her privileges. Therefore, if you can't trust all the domain admins, it begs for a separate forest to contain any possible damage.
In short, if you need high security and protection against rogue or compromised domain admins, create a separate forest. If you need different security policies, use a separate forest. If you need the highest security possible, use a separate forest.
Bear in mind that every additional forest or domain created comes with its own management overhead and risks. That's why the U.S. government and many companies are trying to minimize the number of Internet connection points to their networks: Managing fewer connection points reduces security risks and costs.
Active Directory has costs as well, the least of which is providing two or more secured domain controllers for each separate domain. Every enterprise computer needs lots of management, including security policy configuration and enforcement, access controls, network management, patch management, antimalware software and updates, IDS, and backup services. If separating the forest means that all the necessary management requirements are done less consistently or inadequately, one can make a strong argument that fewer forests can actually improve security.
Notably, IT can still implement additional defense within the same forest. I'm a strong advocate of server and domain isolation. Instead of relying on Active Directory for logical security separation, why not go down further in the network stack (lower is always more secure), and let routers, VLANs, switches, firewalls, IPSec, NAC/NAP, VPNs, and proxies help maintain security separation?
Most servers don't need to talk to every other server. Most workstations don't need to talk to other workstations. And if they don't need to communicate legitimately, don't let them do it at all. That way, if an attacker compromises a computer, they can attempt to spread to what the server and domain isolation allows -- no more and no less. Implementing server and domain isolation can significantly reduce risk, well beyond just separate Active Directory forests.