Someone says "X is more secure than Y," I say "it's the motherfucking administrators." There are certain kinds of cars which are more prone to accidents, but no one seems to lose sight of the people behind the wheel there.
OpenBSD has few security problems out of box, but the install is so hard to the newbie admin that needs to set something up, that it's not useful. If they don't give up and install RedHat, they will just enable WuFTPD anyways. Similarly, a person skilled and educated about security can do their best to ensure your Win2k IIS boxs is rock solid, security wise.
You need to not focus on the OS, as the OS merely lends itself to the user in different ways. It's all the fault of the administrator or user when their server or workstation has a security issue. If you're not knowledgeable, or have not taken the time to become knowledgeable, about security -- you are the main one at fault when some script kiddy attacks your servers.
And let's not forget that there is also a small window between a new vulnerablility being posted to Bugtraq, and your admin handling it. That's a bit different. So is a proper, concereted attack by a person skilled in the arts of breakins probing your system and developing new attacks to deal with your security measures.
[ イノシロ ]