Secunia reports: " A typical end-user PC with 50 programs installed had 3.5 times more vulnerabilities in the 24 3rd party programs installed than in the 26 Microsoft programs installed". Also, this blog post states "Apple may be the industry leader in software vulnerabilities with a terrible record on patching speed."
Why am I posting this? Cause it's from people that are Microsoft fans. Having taught IIS 5/6/7 security for quite a while, I've caught more than my share of arguments that Microsoft's software is inherently insecure. I don't apologize nor attempt to minimize the impacts of really huge security problems that have happened. But by in large, most of that is history. The infamous declaration by Bill Gates, post Code-Red, that security is job 1 at Microsoft had real meaning. Not just a marketing story, but everything changed at Microsoft and Windows Server 2003 was far, far more solid than anything they had ever done. Goto Secunia and compare the track record of IIS 6 to any other web server. Facts are facts.
The point here is that Microsoft knows a great deal about security and pioneered the massively scaled Windows Update program that keeps millions of systems updated worldwide. That's free, btw. I've known other providers that charge you for security updates. Also, even though there are thousands of Microsoft products, there is a single security policy and practice for communicating, replying, and releasing security updates in real time. That's a great value that's built into those who use MS products and service that is unparalleled in its scope and sophistication. I know some of these guys and trust me; you want them to be in running the show if there is a serious security issue.
All in all, Microsoft gets a bum rap on this and it's too bad cause the industry as a whole would do well to acknowledge that Microsoft has been leading in this area for quite a while. Of course, all you hear about are the complaints. If you worked for a year to design some code that prevented a major attack from occurring a year later, you wouldn't hear anything about it, but it still took a years’ worth of work. In the end, you have code that is solid and the number should reflect that. And they do. See