Bad bet, IMO - anyone with a lick of sense would air-gap that webserver from the critical systems, regardless of OS. That's how we did it when I was in banking, and we ran our webserver on Solaris, so it's not a Windows thing. Personally, I'd bet it's one of two things. One, an inside job, or two, they're not as careful with their security as they should be. All you need is one person leaving their password on a Post-It where the janitor can find it, and it really doesn't matter what your OS.
Well, theory #2 is totally obvious, isn't it?
Let's suppose that the Wall Street Journal report is correct, and their network was penetrated by a virus that allowed an intruder to access their internal network and steal millions of credit card accounts. Which platform is most vulnerable to viruses?