Per Secunia IIS has fewer seccurity holes than Apache, and per Zone-H Apache is hacked significantly more.
I don't think that's the point. We're talking about people running it from home, which likely means they really don't know what they're doing. Prior to IIS 6 (and Win98 was referenced so PWS/IIS 3/4(?) is fair game) this was a very big mistake since most everything got installed and left open by default. That's a huge gaping hole that non-pros don't have much chance of securing successfully. Apache installed without everything on, or even included, by default, so would have been a safer bet for those people.