IIS vs Apache (digression.... whatever...)
We digress, but I like this argument. The stats here are ripe for (IMHO) misinterpretation to support agendas, usually those of the *nix fanboy...
The vast majority of websites are built by unskilled people working with resold packaged services running on faceless server farms. The fact that Apache is free software and runs on free operating systems means that it is well suited as a webserver for this business model (software costs do not scale with capacity in the same way that licensed software does) and, more importantly, is more likely to be administered by technical professionals that know how to properly configure and secure their servers.
IIS, on the other hand, is marketed as a good choice for everyone else. Due to its ease of use it's more likely to be used by non-tech businesses with less skilled IT staff and as such it's more likely to be left with an insecure configuration.
Viewed this way we can see that the disparities between attack success rates on IIS and Apache are more a result of marketing and economics than other factors. There are many companies who have successfully implemented complex, high-volume websites running on IIS and complementary proprietary back-end languages and do so pretty securely. The fact that these are rarer than their F/OSS counterparts is more complicated than some simplistic 'Microsoft/Closed-source is rubbish' arguments would suggest...
And in case you're wondering my home network consists of 3 Linux boxes, which work very nicely - for the most part! I accept that neither Linux nor Windows is going to be problem-free but I can generally solve problems encountered on Linux a little faster then I can on Windows, though I'm confident I, or anyone else competent enough, could happily run a spam-free Windows network if necessary.