SANS an internet security institute publishes in his top twenty that IIS from M$ is one of the most vulnerable software packages on the M$ list. It is very sensitive for Denial of service attacks and sometimes can give very sensitive information to non authorized users. Next to IIS we see MSSQL, Windows login and Internet Explorer. In the unix top twenty of most vulnerable software it's BIND Domain Name System on number one, followed by RPC and Apache.

Read the whole article at SANS website