802.1x is secure if you are using the right combination of features -- WPA2 and PEAP-MSCHAPv2 or a certificate based EAP seem to be the industry standard.
If you have a mix of users that should and should not be allowed into the DMZ, the RADIUS server should be able to be configured to send a message along with the authorization accept that will cause the CISCO gear to put the users with DMZ access in a different VLAN, as long as it has a way of knowing which users those are.