System security is 95% administration. If Microsoft is to be faulted, I would blame them more for encouraging a culture of ignorance which leads to lax administration of Windows servers.
Any system can be configured to be relatively secure, and any system can be (mis-) configured to be wide open. And any system that is on the Internet and not maintained, given long enough, will eventually be vulnerable to attack.
I was there when a senior manager said to an IT guy, "I want to see you checking LAN drops and backing up the servers, not surfing the net for security information."