If by "developers" you include the managers and executives who make the decisions about whether or not to use software validation and flaw-checking tools, then yes. In general I think the Windows programmers -- the designers and coders -- are doing about as well as any other bunch, whether Apple's or Google's or Linux's. But the folks who manage them are the ones with the budgets to pay for expensive but critically important tools to ferret out vulnerabilities BEFORE they get out in a release. The folks who manage are the ones with the Gantt charts screaming that the release has to be done because otherwise they'll miss their Bahamas vacation. It's harder, but not impossible to find them in the Linux community too.
> [Linux is] already a major vector for the malware that creates the botnets, and it's already been the source of many data breaches.
This sounds like a bit of a reach...
If you mean "Windows malware hosted on Linux servers", then sure, Linux servers, especially webservers, are ubiquitous and doubtless are used to distribute malware that runs on other platforms. The only way to avoid that would be for Linux admins to pay for Windows and other OS malware identification tools, and upsize their Linux servers to protect against non-Linux threats. Yes, they could, but really, that's not solving the problem at its source.
I was not referring to Windows botnet (and other non-linux) malware that shows up on Linux servers, any more than Apple malware that shows up on Windows Servers.
I was speaking about malware that -runs- on Linux -- the stuff that Linux programmers could be checking for in their own code. If that's what you meant, could you be more specific about this Linux software that that's a major force in creating botnets of Linux boxes. I'm only aware of a little bit.
Applying the same standard you seem to be expecting from Microsoft, every newly discovered Linux vulnerability is stuff that Linux programmers should have been checking for in their code.
By your account, if a Windows user disables updates and their machine gets compromised because it wasn't patched, then Microsoft is responsible for shipping an insecure OS in the first place.
By the same token, if a Linux sysadmin running a free Linux distro doesn't keep his systems patched and they get compromised, who are you going to hold responsible for shipping an insecure OS, and how do you intend to collect damages?