Walking the fence, both sides have merit
[OK - this is my virgin post on Anti Online so go easy with me...]
I think in the case of Internet Information Server 5.5 (don't even bother with previous versions - they're obviously swiss cheese and undisputed as such I imagine) you have to look at this in the "marketing vs. security" light. As we all (should) know, installing IIS in the normal Microsoft fashion performs the kitchen-sink install, turning on a ton of features that aren't needed.
It's really quite silly, considering that the "features" that are least often used are the very features that I'm sure some security guy in Microsoft suggested in a meeting at some point not be enabled by default - only to get a sound trouncing by someone in marketing holding the ace of spades to his queen of hearts. Silly stuff like the handful of ISAPI filters that don't need to be mapped are a good example. Less than 1% of the folks using IIS need this stuff. Were they to be unmapped in the default install, Microsoft would be better served in doing the one thing they've been terribly unsuccessful at thus far - mitigating bad press.
Given Mr. Gates' cry for more security in his organization, I expect we will see some serious changes to the default installation schemes in .Net and/or whatever other versions of Windows are coming down the pipeline. This will certainly be an indication as to whether or not Bill is _serious_ about security. If the default install changes - and they start requiring an administrator of an IIS machine to know how to turn on (as well as off I guess in this case) those features that are needed, we'll know he was serious. If things don't change, we'll know that Microsoft is first and foremost a marketing company. (Which currently stands as the truth IMHO.)
I certainly agree that any fool who says "I've got product XYZ over on IP address x.x.x.x and it is utterly un-hackable!" deserves to wind up on the front page of the trade rags in full regalia with their pants down around their ankles. Alas, I don't believe this is what was said in the original article. The statement made was (to paraphrase) "you can make it as secure as you care to". This means that some form of intellect other than "click the Yes or OK button" is involved.
Personally, I'm a huge fan of Open Source. I use a lot of Linux, OpenBSD, Apache, and a host of other open source releases. I also admin Windows by day, which helps me keep up with my two most favorite past times - living indoors and eating. I've used both, made both secure, and seen both hacked to hell in a handbasket as well.
Cheers,
Kyrka