But if Microsoft will go to such huge lengths... are they actually more secure than Linux? Or are there lengths that they won't go to, no matter how much they spend?
I'm just going to say that when you slip a major release date for a multi-billion-dollar product by several weeks just to go back through all your code to see if there were any integer overflows that you might have missed, after somebody points out a new code pattern that might lead to them, you've firmly established yourself at one end of the spectrum.
I simply don't believe that any other team, open source or commercial, would do something like this. I've seen too many of both kinds of teams blow off actual documented vulnerabilities to think that they'd hurt their own progress to chase down hypothetical ones.
The rest of the discussion is academic to me. By all means, use Linux. We do for our Rails app. Hooray for open source.
And the process where developers submit their patches to a mailing list and they are reviewed by people above them is what?
A code review.
You can't measure Microsoft's expenses against the expense of developing Linux. Linux was not cheap to make either - just the time is distributed across a lot of books instead of one set.
I'm not even a little bit interested in getting into a religious argument with you, but I will take a moment to point out that the "code review" that a Linux kernel driver patch receives is nothing remotely like a security code review.
