>>Yes by running IIS instead of Apache you get a get-out-of-jail free card when you leak all the medical data of your patients.
IIS + .Net + SQL has indeed had an order of magnitude fewer vulnerabilities than a Lamp stack over the last decade. Most of the leaks you read about are from OSS systems.
Netcraft says IIS now has an over 10% larger market share than Apache so if there was any inherent problem with IIS we would know about it by now.