The reasons Microsoft products are attacked so frequently is multi-faceted. First, and formost IMO, is that most windows boxes are the low-hanging fruit of the internet. The tight integration between the browser, ActiveX, and the operating system combined with defects in all three components are the enablers that allow the boxes to be 'owned' so easily.
Second, and this ranks pretty high up there as well, is that the vast majority of windows users are completely computer illiterate. For many of these users, if a file they created doesn't exist on their 'desktop' or in the 'my documents' directory, the file is lost to the user for all practical purposes because they have no idea how to find a file that might have been misfiled for some reason. I see this all the time, and it's extremely frustrating to me, as a long-time nerd. People generally have no desire to learn anything about directory structures and methods of how to organize their data even though it would make their life much easier in the long run with just a little bit of initial effort on their part. I imagine that serious automobile mechanics feel the same thing about most car owners for similar reasons.
Third, the security model under Windows is, for the most part almost non-existant. The vast majority of users out there login as an administrative user because they don't know any better, and because of the extremely poor design decisions the writers of some software have made that require it.
On a side note, I had a disussion with a fellow I work with the other day that touched on exactly this issue. Something that came to mind was the warning you see if you are using Linux and run a program called "xcdroast", which is for writing CDs/DVDs. If you start the program while running as the 'root' user, it presents you with an annoying initial dialog box (that can't be disabled), telling you how incredibly stupid (they actually use the word) it is to run the program as root. They give you the option to continue as root but recommend most strongly against it. Our discussion expanded from that, as I'd like to see Linux window managers say exactly the same thing if you login as root, or execute any program as root, so as to remind the user that usernames exist for a reason. From what I understand, the folks at Apple take that approach a bit further in that there are separate "root" and "administrator" users under OSX that are used to install software. It's a good solution IMO and mitigates greatly the damage that a computer illiterate user can do.
Personally, I'd like to tar and feather the folks who create malicious code, but in today's society, that's not likely to be accepted by most. However, it is the software vendor's responsibility to make sure that stupid and avoidable defects (i.e., buffer overflows), don't exist in their software, so there is a fair amount of responsibility on the vendors. I think Microsoft gets much more of a free pass on such things than they deserve.
I agree with your take - and let me add: Much of the corporate client software written to run on Microsoft platforms REQUIRE the user to run the client as local admin and I think this is where the problem is. Billions of corporate dollars are preventing MS from doing the right thing and forcing software writers to obey the security laws that dictate that the end user NOT be allowed to run as local admin. It is the most annoying problem I deal with at work.
"Third, the security model under Windows is, for the most part almost non-existant. The vast majority of users out there login as an administrative user because they don't know any better, and because of the extremely poor design decisions the writers of some software have made that require it."
First, security is a main concern within Windows. Your own two statements show why that security is voided by users, not the OS.
For you to say security is "almost non-existant" means you haven't a clue what you are talking about. I bet you are one of those people that do not know the difference between Windows 9x and Windows NT, aren't you?