first off, I'm no expert, but here's my two cents for what its worth:

it doesn't only depend what os you are running or what server prog., but also exactly what you are serving from the website. For example, if you are serving only static pages (no cgi, no php, no asp, or any server-side programming like that), then that server would be much more secure than a server that has cgi programs, asp, etc, since malicious hackers might be able to turn those programs that run on your server against your own server (or other servers).