Playing devil's advocate for a moment...
Windows has basic security features integrated into it which the competition doesn't match:
* Firewall filtering by application, user, group, IPSec state, source/dest IP/port/protocol at the same time
* Simple to apply FDE based on combined TPM, Password and Startup Key with emergency escrow
* Fully administrator-controlled, certificate-based whitelisting/blacklisting of all executable code
* A built-in AV/HIPS solution which can be configured to block all unknown software (ala. PrevX)
* Network Intrusion Prevention to identify and block malicious traffic in order to protect legacy software
* Per-binary digital signatures, allowing for a simple integrity check of the entire system, including DLLs
* Advanced compile-time and runtime security mitigations which other OSes are yet to implement by default
* A safe and secure means of enabling backwards compatibility flags for applications up to 25 years old
* Background updating of trusted root certificates independent of Windows Update to keep PCs working
A lot of the development for the above relied upon telemetry data collected as early as Windows XP SP2 through CEIP (which was automatically enabled) if people opted to choose Microsoft Recommended Defaults. Backwards compatibility for instance relied upon Microsoft collecting error reports from older software crashing in order to know which shims to develop to best serve the userbase.
Now let's compare with the competition:
If you use macOS, you need to install Little Snitch, Santa and Sophos to approximate what Windows has built-in for security. FileVault doesn't allow a startup key but does allow a rough equivalent to TPM+Password in newer Macs. In theory, Apple is heading in a better long-term direction, requiring notarisation of binaries through a CA they control while also putting an end to kexts entirely. But right now they still allow users to override the policy to run non-notarised apps as if they're equal. Until Apple makes notarisation mandatory for an app to be considered signed, it's honestly no better off than Windows with WDAC set to block unsigned binaries and Windows Defender Antivirus set to Zero Tolerance.
If you use Linux then good luck to you, as the basics are missing in most places (unless you're using RHEL), so you'll need to write a custom SELinux policy and use a tool like opensnitch to get an equivalent result. If you opt for FreeBSD, then you're even more screwed due to a complete lack of mitigations as basic as full ASLR.
So are we right to say Windows is all bad? Sure it runs a lot of services as SYSTEM, which (when equated to root) Linux and macOS do not. Software patching is also a nightmare on Windows compared to using software repos on RPM/DEB based distros. But at the same time, it has a lot of built-in security tools which are decent which the competition lacks....