I found these results of this report interesting because Symantec is not always on the best of terms with Microsoft. Despite this fact, Symantec's study found that Windows Server – quoting InternetNews here – "had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006." Read more at Symantec's 11th Annual "Internet Security Threat Report."
Here's a statement from Symantec:
Alfred Huger, vice president of engineering for Symantec Security Center, said the real problem is with Web applications, where two-thirds of all vulnerabilities are found. Operating systems are fairly minor, and despite the long time periods, the vendors are doing "an ok job, just not stellar."
I found this interesting because just the other day I read the CSO blog on RHEL5 launch and the 11 security advisories that came with it. Of note is the "critical: firefox security update" seen in the screen capture, which the MSRC folks say was made public Nov. 23, 2006. I'd consider that to be the real critical flaw.