How many vulnerabilities have been discovered in IIS over the years vs Apache? Apache is used far more than IIS is. Your argument only holds so much water. When you examine the track records of various pieces of software, you begin to see that the number of vulnerabilities far outweighs the proportion of users.
Where is your evidence for this statement?................Apache is:

1. Something you have to buy separately
2. Something that you run deliberately.
3. Something that you have to set up.

I have a Windows2000 Professional box I built a couple of years ago..............IIS runs by default unless you turn it off so I think that your assertion about Apache is badly flawed. People have been running IIS by default and without knowing it.............that makes them "soft users" (sure, it is an MS failing, but it is compounded by users)

It's all well and good to be the armchair theorycraft security hobbiest/researcher/whatever and make wildly baseless claims, but until you start finding vulnerabilities your ideas are still in the realm of theory.
Well don't you fall into that category yourself? "Vulnerabilities" are irrelevant............."Exploits" are what do the damage.

Anyway, the theme of the thread was geared towards OPERATING SYSTEMS, rather than specific elements of them?