True. But in the security biz, there's a big difference between a "local" and a "remote" vulnerability. A local vulnerability can only be exploited by a user with login privileges--i.e., the computer's owner, or someone authorised by the owner to use the machine. A remote vulnerability, on the other hand, can be exploited by any random shmoe in Chechnya.
When people say Windows is "vulnerable", they mean that within a minute of connecting a new machine to the Internet, you're probably already infested with viruses and pwned by a Russian spammer. Nothing like that is remotely true of a Mac; you can connect an out-of-the-box Mac to the internet with essentially no fear.
It isn't as bad as it used to be. MSFT used to leave tcp Ports 139 for Netbios and 135 for RPC wide open by default. My dog could get admin access. On the older versions of NT there was no way to even plug the ports. Even disabling Netbios would blow NT up.
People like J. Allard(he was MSFT TCPIP "guru", now he shaved his head and pushes Xbox's) used to claim there were no holes and that Netbios was secure... as far as I am concerned he is a putz and a friggin liar but that was the MSFT way. It cost them and everyone else a lot.
The OS's (2003 and XP-SP2) have come a long way in terms of being secure but... I think that the MSFT product groups still leave too many holes open. Outlook was just plain evil... basically it was a Hacker's VM.