One thing I’ve noticed over my 20+ years in IT: Linux servers tend to be “left alone” while Windows servers are often over administrated. Windows admins have become so tuned to “Patch Tuesday” that they make sure everything is patched quickly. Linux admins often take the “it’s safe, it’s a Linux server” approach. I’ve seen RHEL servers go months between patches, and I’ll even admit that Ubuntu servers I have running in my lab go a few months between patches/reboots.
The secondary issue with this is that Microsoft is so under the microscope for every little transgression that they’ve had no choice but to be 100% transparent with their vulnerability patching. Meanwhile, Linux patches come and go, and unless there’s a secOps manager or auditor banging on findings, those systems aren’t prioritized.
This isn’t conjecture on my part. This is demonstrably true across at least a dozen companies I’ve worked under from finance to healthcare to government. I’m not saying that it’s the standard, but it’s true in sectors where it really shouldn’t be. This leaves very public CVEs wide open on Linux systems, making them easy targets.
I overall agree with your description. In fact one of the supporting arguments for Linux being inherently more secure is that even with rampant poor patching practices, the huge number of Linux servers facing the web and in enterprises are, by and large, not getting taken down/out very often.
That's no excuse for not patching, of course. Even Russian roulette is non-fatal 5 times out of 6.