first off, I'm no expert, but here's my two cents for what its worth:
it doesn't only depend what os you are running or what server prog., but also exactly what you are serving from the website. For example, if you are serving only static pages (no cgi, no php, no asp, or any server-side programming like that), then that server would be much more secure than a server that has cgi programs, asp, etc, since malicious hackers might be able to turn those programs that run on your server against your own server (or other servers).
Exploits depend on many things. you may only server static stuff but is CGI enabled? if so it can still be exploited.
p.s. Make sure apache is patched!! Its on their site so go get it!