Eweek are carrying a story covering some forrester research comparing vulnerability levels and response times across a range of vendors.
The thing that always strikes me about this kind of research is whether they are comparing like with like. For example if they are comparing ALL vulnerabilities on Microsoft software with ALL vulnerabilities in software in a given Linux Distrabution, then thats really a bit meaningless in the real world. I mean who's going to have all that software installed in a given environment.
A far more meaningful way of presenting the information would be to establish typical usage profiles, for example "corporate desktop" or "web server" state what packages those would contain and then measure the vendors based on the vulnerability levels present.
My gut feeling, although I could be wrong, is that Microsoft would probably come out worst in that kind of analysis, as many of the vulnerabilities they have had recently have been in core parts of their system (ASN.1 being a good example) which would appear in every loadset, and of course the fact that they're overall strategy seems to involve a lot of integration of systems, leading to a larger overall attack surface.