One rule for one,
When it's OSS it's improperly configured. When it's Windows it's piss poor development and insecure by default.
Having multiple website on one installation of a web server where a bit of software can infect all sites sounds like more than just a bit of bad configuration.
Where's the secure-by-default, safe out of the box hype from the OSS crew? It's all crap, closed source, open source. All have holes, some call them poor configuration, others call it insecure by default.
Bottom line is that every application is secure. (IIS, Apache, Windows, RH, Office, OpenOffice). It's the admin that buggers it up - not if it's open or closed sourced software. If Windows admin's woke up, read up and then ACTED on best pratice and common sense then Windows would be able to hold it's head high. Nice to know that shit administrators exist outside of MS networks.