An interesting aside.

The reason the OS security question goes around and around is because the wrong questions are asked. For example:

Wanna talk abt the time taken by both the communities to patch critical bugs.
This question is bad because it is too vague. Vague leads to inconclusive answers, which lead to a lack of conclusive evidence. Why is this question vague? It fails to address and in fact cannot address a number of issues. Which critical bugs? On average? What defines "critical"? What about bugs that were non-issues and became critical as the result of another bug? How do we measure time? From the bug going public? From the bug's discovery? From the bug's creation? All of this ambiguity, results in a pointless discussion.

Better questions need to be asked. Could the system be realistically configured in a manner to negate or minimalize the bug? Is this configuration information provided by the vendor?

I know that people scoff at the DOD/MIL standards regarding computer security... however it should be kept in mind that these documents standardize a method of quantifying operating system security that is universal and sane. When spending potentially millions of dollars on what to use... arguments like

Linux has its advantages
windows has its advantages
linux has its downfalls
windows has its downfalls
people....its 6 of one, half dozen of another....
such placating dismissals indicate a clear lack of understanding of quantifiable security.

Start asking the right questions and you'll find that you don't need to keep asking them.

cheers,

catch