Zone-h have another interesting report on this issue, which they conclude as:
In fact, nowadays many of the intrusions are performed at database or application level.
Regardless the OS.
Regardless the web server.
Sql injection and file inclusion are the most used tecniques in the latest months. This is happening because the usual "availability" of exploiting codes has been constantly decreasing over the last 12 months since groups like Teso has stopped to release to the public.
The moral is, in this historical period of the Internet, don't trust anybody who is "lecturing" about the inherent vulnerability of a particular Operating System.
This makes a lot of sense to me. The focus on security comes down to the developer and the dba and the designs they have chosen and the o/s is less important.
Read the full report here: http://www.zone-h.org/en/winvslinux2