When OpenAM servers are to be deployed in Production, high-availability is required most of the time (in fact, all of the time for my customers). So this implies more machines and thus more money!
And so, usually when High-Availability is concerned, 2 boxes are more than what they can commit.
But, it is not a good practise to deploy the Administrative Console facing the Internet. I would recommend the following architecture, always.
This architecture strips off the administrative capability of the 2 Internet-facing OpenAM servers. To save cost, the OpenAM server with Administrative Console can be deployed in on of the boxes.
It's not resource intensive since how many administrators can you have in a corporate? It can also be shut down when not in use. No excuse please.