I'm not sure what the answer is here.  Forget your IBM rep.  Suggest you reach out to a reputable business partner for advice.  There's a lot out there, but I'd probably start with http://www.simplified-tech.com/.  I'm sure Lisa knows the answer to this.

I don't know all the license options...  but I don't think you're going to get much savings unless you do something a little different.  The fact that they migrated email is irrelevant.  You have 150 people accessing a Domino server.  You need some kind of "active" license for that.  The fact that you have notes.id's and might not expire for 50 years or whatever doesn't matter.  I believe that id can legally be used against the notes client fine.  But you can't legally take those that are not under maintenance and hit live servers forever...  Remember for a web access there really isn't even a notes.id needed.  Just a person document.  I THINK that domino user licensing goes against what's in the address book itself.  How many users are there.  Again by best guess there.

If they didn't have many apps then they'd be a great candidate for XWork server..  that includes unlimited users.. but a limited # of .nsf's.  There's Domino express licensing... but that's still per user licensing though you get unlimited server ability.

Again - check with a BP but typically if you have 150 internal users hitting the server then you need 150 active licenses I believe.

Typically when people migrate mail away from Domino but want to keep their domino apps they have now increased their costs - not decreased it.

We have used it with Ex Notes customers. The legal entity needs to be < 1000 people 

It is a PVU licence i.e. unlimited NSFs but you pay by the server core - pretty complicated but it may be worth looking at.

The alternative is to run without maintenance which I would have recommended in the past but my experience is that web apps ( like XPages ) need a totally supported server as browser changes and security holes require updates

My experience only, talk to a seller for the real deal.

You need to pay for authenticated access to the server no matter how you connect or how the apps are presented (client, web, xpages, pure html, whatever). You can do that by person or by server but typically the 'by server' option only makes sense for larger organizations. If you allow unauthenticated access, then you typically don't need to pay for CALs but then you have no way to know who's doing what and there is no way to use ACLs/Roles to manage design elements.

If the clients are outright owned, then they're good forever but you don't get upgrades. If you're OK running at version old.old, you're good. If they don't own the clients, then they need to either keep paying for licenses or buy a set.

Server costs depend on PVUs and if you're on a VM or physical machine and VMs make the whole thing a cluster fck...tread lightly if you go that way.