I'm going to go with it depends on the services you decide to run. I'd like to say a lot, but i'll go with a few people have read the article I did for one of the newsletters and my post in Addicts. I had a mandrake 9.1 server rooted in less than 48 hours. However I put it up live on the default install with no patches.. no upgrades.. just straight from the CD. I had samba running and ssh.. both servers were vulnerable to a few exploits. This right here shows you that you can't judge out of the box software. If gore releases a distro, a new root exploit comes out for ssh and then I release a distro. Mine may SEEM more secure because I'll have more than likely included the patched/updated version of ssh. However if you install gores and update and patch everything and open minimal ports and use the firewall that's set-up during install and you install mine with every service running and no firewall or protection.. his will seem more secure. I think that plain and simple it comes down to the experience and knowledge level's of the operator/administrator... Even then people with experience still make mistakes and miss things. Hell if you want to start comparing default installs, run the install for Win 2k3 and then take like MDK 9.2... or Slack 9.. or hell even RH 7.3... and put them live on the net, the odds are the linux box will be successfully hit first. Sure you may get virus/worm infections in Win... but the possibility for attacking vulnerable services on the nix machine will be endless. There's no such thing as a secure install out of the box... only the illusion of security.