Yes, that is the essential truth.
I had been using IIS on WinNT at work for development purposes, which to my knowledge, no hackers were trying to get into. A version of the Nimda virus found the instance of IIS on my computer and proceeded to modify all sorts of files on my computer. Real nice. Granted the network ops guys were asleep on the job, but this virus doesn't make its home in Apache which I promptly switched to.
I'm sorry if my rant cast an aspersions on your abilities. Unintended.
The Nimba and Code Red viruses could have been prevented if the patch that Microsoft released months earlier had been installed. In fact, it was the description of the problem on Microsoft's site that gave the hackers the idea. :-(
The original goal was to make administration and all features of the server web enabled and other features open by default. Though this makes computing easier for those trying to implement solutions (like running executables in Outlook), it also makes it easier for hackers. Thus, Microsoft will be shipping OSes in the future without installing software and keeping ports closed. Safer yes. Less functional for users, yes.
The above is the default for UNIX implementations and thus, fewer hack attacks. Microsoft has reconciled itself to the fact that there people who are unfairly against Microsoft and wish it harm (Dominic??? :-) ).