There's a really interesting posting at Visual Complexity that provides a good illustration of what I think Microsofts main remaining problem in regards to security is.
MS have done tons of work in improving their code quality, improving their default builds and adding features like Address space layout randomization (ALSR) to make hacking into their products harder.
The one area that's left is complexity. Ultimately the more code that is installed on a system the more code there is to be attacked, either remotely or locallly. what the graphs from visual complexity show is that for web servers IIS on windows has more potentially active code that Apache on Linux.
Hopefully some of the other stories that have surfaced recently will lead to the possibility of having a very stripped down Windows OS if you need it...