The "by default" question is garbage, which is part of the point I am trying to make. It is garbage for a number of reasons:

The default configuration is the measure of a give system, not the OS.
There is no baseline for default configurations, different systems are defaultly configured to do different things.

As for the most secure OS, any featuring a verified protection model and formalized and verified reference monitor (in the case of KSOS based on a finite state machine) will be equally secure. Why? This means you have a theoretically secure protection model, all the capabilities required to implement it and proven complete assurance. The system as a result is theoretically secure.

cheers,

catch