1) This test had nothing to do with anyone compromising the system, it was merely counting posted advisories.
2) MS makes it a policy not to post holes until they are ready to fix them, Linux post them right away. This means your data is being gathered in different ways.
3) Without seeing the warnings they were counting we have no way of knowing how severe they were. Linux could have had a minor bug, and MS could have had an ownership bug.. (or vise-versa)...
4) The admins used out of the box configs, net securing either OS. Part of being an admin is securing an OS.
From the description of this 'study' its pretty useless to make any conclusions...