The base level for any SharePoint implementation is the SharePoint farm. Physically a farm can consist of one server or many servers. An organization may implement one or more farms. This usually depends on security and performance needs.
From a performance perspective it may make sense for an organization with locations across the globe to maintain multiple farms with those locations accessing content closest to them for speed. In these cases, content between the farms need to be synchronized.
From a security perspective an organization may have a SharePoint intranet for internal content and a SharePoint extranet for third party access. All or some components of the extranet farm might have to be located in the DMZ whereas security policies or concerns may prohibit any portion of the intranet farm outside of the organization's physical network.
The next level contained within a farm is the web application. A farm will contain multiple web applications. A web application is always created for Central Administration and at least one web application will be created for the SharePoint intranet, extranet or internet site.
Instead of having multiple farms, an organization can have one farm and implement an intranet on one web application and an extranet on another. Security is maintained seperately for each web application restricting access.
A web application is where you implement and maintain authentication. Users of the intranet may authenticate against a directory service like Active Directory and users of the extranet may authenticate against a sql server database using forms based login. Also a web application can be extended to another web application to allow multiple ways to authenticate. For example, let's take the extranet, external users will authenticate against a sql server database in a web application and internal users will authenticate against Active Directory in another extended web application. Two web applications pointing to the same site but with different ways to authenticate.
Lastly, a web application has it's own website and application pool in IIS.
The third logical level is the site collection. A site collection is where the design, security, navigation, content types, web parts, workflows and etc. are maintained for all the sites within the collection.
An organization might create a site collection for the IT department and one for the HR department each with it's own branding design, security policy and navigation requirements.
The last level is the SharePoint site, although it can be argued that libraries and lists are logical levels themselves.
Instead of a site collection for each department, an organization may simply decide to create a site for each department when branding, security policies and navigation should be the same across departments.