"How does a desktop OS have a larger attack surface?"
1) It does support many more network protocols than a mobe, and related services/deamons
2) It has far more and more complex APIs
3) It runs a broader variety of and far more complex applications (just loot at how an Apache Struts vuln can create havoc...)
4) Applications can interact in many more ways
5) Unlike most mobes they can receive network connections initiated from other machines (and usually mobes are behind the mobile company NAT system, which shields them from direct attacks)
6) User perform more complex operations, involving more complex documents and data (which may be used as attack vectors)
7) As already said, they need to support a lot of old, legacy applications.
8) Unlike a mobe, there are far more concurrent services and applications running
9) The amount of RAM, CPU cycles, and disk space makes far easier to hide malicious code.
10) It does support a far broader range of devices, and thereby needs their drivers
If you believe your mobe OS is alile a desktop OS, ask youself why Google don't run everything on Android...