InformationWeek's Johanna Ambrosio published an article that offers valuable data concerning this argument.
Here are some of the highlights as excerpted from the article:
Recently, the U.S. Computer Emergency Readiness Team, or CERT, reported that during 2005, Linux and Unix combined had 2,328 vulnerabilities, compared with 812 vulnerabilities for Microsoft Windows.
A separate query of the National Vulnerability Database (NVD)--maintained by the National Institute of Standards and Technology--yielded similar results: During 2005, there were 119 vulnerabilities reported in the core Linux kernel--the one used by all the various Linux distributions, says Peter Mell, the database's main administrator. This compares with 61 published vulnerabilities for Windows XP, according to the NVD. Moreover, the trend appears to be going upward. The 119 vulnerabilities found in Linux during 2005 compares with 47 in 2004, 16 in 2003, and 11 in 2002, Mell says.
As the popularity of Linux increases, some question whether the open-source development model will continue to serve Linux well from a security perspective. "To a large extent, this could be a failure with open source," says Ira Winkler, an independent consultant, president of the Internet Security Advisors Group, and author of Spies Among Us. The primary issue he sees is a lack of consistency in regression testing and other quality-control issues. Because many people may be contributing code in the open-source model, there's no way of being sure exactly how that code has been bulletproofed, or even whether any best-practice testing methodologies have been used across and between contributors.