It's the Microsoft w-a-a-a-a-a-y!
Create features, functions, and facilities that are inherently insecure! Yee haw!
ActiveX was the first significant step down this long and slippery slope. There's an O'Reilly book on HTML from about the time of ActiveX's debut, when Netscape was still the godzilla of browsers. In it, the author specifically warns against using ActiveX on a webpage because of the security risk. Did Microsoft act responsibly? No, of course not.
From another perspective, what MS has done over the years is to tightly integrate the OS and all applications (at least those from MS). Doing this has the effect of making those apps a part of the OS, increasing the size of the OS, and hence increasing the likelihood of there being security holes.
This is nothing new. Windows and, iirc, DOS have had undocumented trap doors in them for many years, so Excel could do its own memory allocation and thereby bypass the inefficient scheme in the OS.
The thing I wonder is this: why can a small security firm figure out these holes, yet MS, with its hordes of employees, can't? Can it possibly be that MS doesn't hire the best and the brightest, or is it that it simply doesn't bother to look at the security implications of various bells and whistles?
Don't tell me it's so!