Arguably, MS has the largest install base and very complex code.
That lends itself to exploit. Let's not pretend that other OSes don't have vulnerabilities.
How many Unix boxes out there still have the sendmail exploit available and thats a decade old.
It's all about the Sysadmin.

Agreed to some point. Apache actually still leads the web server market, although IIS is gaining quite a bit of ground.

As far as "It's all about the sysadmin", yes it is. I'm just always amazed at how many new MS exploits appear, and how long it takes for a fix to be released. Then you have the issue that almost no MS admin, not even the MCSEs know about hotfixes.

If Microsoft wants the desktop market, they need to have child-proof security built in. Expecting a home user to be a sysadmin is not the right thing. Lets bring up the car analogy. How many people out there only know how to drive their cars, and not repair them? Quite a few. But that industry knows that, so they provide easy instructions for common things, like filling the tank, or changing the wiper blades. Compare that to Microsoft, who only shows off their products "new and improved" features, instead of teaching them they need to click on "Windows Update" every once in a while. They are getting better, but more work is needed if we want to keep the internet in a useable form down the road.