There have been a number of articles / studies on this, the ones I'm largely familiar with in the early aughts / late 90s.
It mostly boils down to fundamental architecture, monolithic design, UI decisions, conflating data + code (e.g.: a "Word Document" or "Spreadsheet File" is really a general-purpose computer program, not merely static text), and ingrained user practices (see today's PHP rant for a somewhat parallel discussion of culture), as well as an inherent lack of transparency, a filesystem model which prevents being able to delete in-use files, etc., etc., etc.
It's a pile of small faults which, in total, create gross instabilities.
Worse: the reasons for this are deeply linked to Microsoft's need to maintain a deep monpolistic lock on the personal computing sector.
And as much as Microsoft continue to address small aspects, the big picture eludes them. Empirical data continue to show that Microsoft systems are far more vulnerable to exploits than alternatives, particularly Linux and Unix derivatives. OpenBSD being the most preemptively secure, in part by digging deep into infrastructure (classic example: string handling to avoid buffer overruns, and an entire huge class of security blunders). There's a humorous bit about various Linux, BSD, and Microsoft responses to security disclosures that's pretty close to truthful (sorry, can't dig it up right now).
My understanding is that Vista and beyond have a fairly indepth and rebuilt security architecture that actually quite good.
Am I wrong?
Further, Linux doesn't seem to have a different design when it comes to monolithic design and tends to actually have worse permissions problems out of the box WRT granularity.
"Linux" can apply to a lot of things, ranging from the kernel to general userland. Clarifying that, there are numerous ways in which it is not monolithic (not in the microkernel architecture sense, but in a general sense) to the same extent Windows is. I'll distinguish here from the kernel and system as a whole (kernel + libraries + executable).
First, a given Linux system can be virtually entirely divorced from userland. Android would be a great example: it runs the Linux kernel and a very, very small set of standard features, on top of which the Android infrastructure itself is place. Android by itself is nowhere near POSIX compliant, though it can be made so by adding additional software (e.g.: busybux, terminal app, etc.).
More generally, any given utility for a Linux system can generally be provided from multiple independent sources, from system libraries to common utilities (e.g.: numerous awk and vi implementations) to services (webservers, databases, etc.). Any one component can generally be replaced or even removed without impacting other components (barring tight dependencies).
It's possible to build very minimial, or very complete, Linux systems. Lightweight bootable images based on little more than a kernel, shell, and busybox. Heavy server or desktop systems with thousands of packages.
The kernel itself is highly modular, both in terms of features (networking, filesystems) and devices (disk, ports, network devices...). Unless specifically added in, graphics are not included in the kernel (obviating large classes of b ugs), and systems can be run without a GUI or even a directly attached terminal. This is a level of flexibility you simply do not have with a Windows box.
Permissions granularity in my experience is largely a bogeyman -- you don't need a highly complex system, you need one that works. The important things are appropriate and usable permissions within an understandable framework. Linux supports user/group/world read/write/execute permissions, SUID, SGID, and sticky bits. It also supports ACLs, though these are very rarely implemented -- they're a maintenance nightmare. If you'll stick to Debian, you'll fidn that permissions matter and are generally set to be both safe and sane by default.
If you've got something specific in mind, I or someone else might be able to address it.
As for Vista: Microsoft have played the "we've fixed the security problem" record so many times over the past 15-20 years that the grooves are worn smooth. While things may have improved, I still see a landscape littered with exploits and attacks, as well as a security infrastructure (virus, spam, network intrusion, and other scanners) I in large part don't have to worry about on Linux systems. Yes, there's vigilance required. But it's at a whole different level of intensity. While I don't work with Vista (and apparently few will), I don't see any fundamental changes which would be required to change the Linux vs. Microsoft security picture.
I still don't see any _fundamental_ difference on the points you make between Windows and Linux: monolithic design due to performance considerations, both have bugs, etc.
A given bug in a GNU/Linux distro tends to affect a single piece of software which any given user may or may not have installed, may or may not be using, and/or may or may not be using in a way that exposes them to the vulnerability. There are classes of bugs for which this is not true, mostly affecting the kernel itself, but these are fairly rare.
Bugs affecting Windows frequently exploit features which are deep and broad, have profound systemic effects, or are easily exploitable on large classes of systems. The Sapphire/Slammer worm comes to mind -- you wouldn't think that the Microsoft SQL Server would be a widely installed desktop component, but as the Desktop Engine, it was.
http://en.wikipedia.org/wiki/SQL_Slammer
Other factors affecting this:
With Linux, I have one-stop shopping for most of my security updates affecting virtually ALL software on my system. Updates are atomic, can generally be applied without rebooting, and (due to nearly two decades of process improvement and strong policy) nearly always work. There are differences even among distros -- I find Debian tends to have the most robust practices, so long as you stick with stable, RHEL is a lot more hit-or-miss. This is a direct consequence of Debian Policy. Read it and understand it.
Linux software components tend to do one thing and one thing well. Rather than ship kitchen-sink "Enterprise Solutions", most Linux software and subsystems focus on a single task, are principally controlled and configured via commandlines and textfiles (lending themselves to scripting, version control, and configuration management generally, hence, better and more consistent processes). Again, not uniformly true, with GNOME (not a server package) and Systemd being notable exceptions.
There's an unprecedented level of transparency. Even as a mostly shell-tools kind of sysadmin, I can directly monitor system state through shell tools, strace, and /proc. Even finding myself on Linux-like environments (e.g.: Mac OS X, Solaris) lacking all of these features, I feel their absence profoundly. There's little about a process or system I can't examine directly and/or log.
There's more out there. If you're not willing to be convinced, there's little I can say or show you that will change your mind. But you're more than free to do your own legwork.
>Nick Petreley's "Security Report: Windows vs Linux: An independent assessment" remains largely valid
No, it doesn't.I skimmed through it and it's pretty outdated, especially with the changes in Windows Vista and Windows 7 and with regards to things like IIS.
They're all fundamentally insecure, because they are designed around the notion that we trust certain users and not others, instead of the notion that we trust certain code and not other code, depening on what it wants to do.
