Depends on who you ask, for example, taking the top 50 products with new vulnerabilities discovered in 2016[1], Windows 10 got less vulnerabilities than the Linux Kernel and OS X.

This could either mean that Windows 10 has become more secure than its most popular competitors, or that researchers hadn't invested enough resources to audit Windows 10 properly.

Taking into account the results from previous years and previous versions (like 8.1), my personal conclusion is that Windows has actually become more secure.

[1] https://www.cvedetails.com/top-50-products.php?year=2016

Well, there's also how serious the vulnerabilities are. Linux kernel had 4 code execution vulns, Windows 10 had 44. Linux had 44 gain privilege vulns, Windows 10 had 79. Linux seemed to have mostly DoS vulns, which is admittedly not great, but I'd rather a server go down then get compromised and used to take over the rest of the network. Then there's the fun stuff, like mimikatz, that's been around since windows XP and still can pull passwords from windows 10...

It is expected that the smallest attack surface will have less critical vulnerabilities, comparing an entire distro gives you a different picture, since categories like code execution get similar results.

The stark contrast is in the privilege escalation vulnerabilities from the Windows side vs the other categories on the Linux side.

I would assume that many persons prefer a server to go down, corrupt its data and leak it, rather than get compromised. The fine print is that the leaked data may contain information to compromise the server[1].

[1] https://en.wikipedia.org/wiki/Heartbleed

Yeah, but now you swung in the opposite direction. Look at Debian Linux's 2016 code exec vulns and you'll see it's got a like Firefox and Chrome and Drupal and Mercurial... not exactly OS components... whereas the windows 10 vulns are are windows OS components. I'd personally be curious if any of those "debian vulns" would be equally applicable to the same software installed on windows.

The biggest issue with Windows isn't its inherent security, it's the way it's used. Most users run everything with super admin rights. Most developers require that for installs.

OSX is right behind it, with a culture of laxness that undoes most of the benefits the designers tried to give them.

I've run into "security software" for domain computers that required every computer to have the same local admin password... and for it to be enabled on every computer.

Hehe, I once saw a corporate network where the root password on all Un*x systems was ${vendor}xyz, i.e. sunxyz for a Solaris box, ibmxyz for AIX, and so forth. I hope at least they disabled root login via ssh.

I've not seen that, but I have seen one where the root password was the vendor who supported it - like capgem123 ibm123 etc.

Not quite as bad, but still pretty weak.

Exactly. That's ridiculous thinking far beyond what the OS designer is responsible for.

What do you mean by secure? What kinds of OS functions and capabilities do you consider the purview of an OS from a security standpoint?